Re: su user -c problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Gene Heskett wrote:
>>I've got similar things in /etc/rc.local that used to use su -c.  I
>>don't recall having them get denied outright, but the programs that
>>were run definitely didn't pick up the proper SELinux contexts.  So I
>>now have a few entries like this:
>>
>>runcon user_u:system_r:unconfined_t -- runuser -l -c "screen -dm" tmz
> 
> I'm afraid I have pretty close to a NDI what that will do, Todd.
> And your use of the words 'used to' above also tells be your are
> doing this su user -c function differently now.  Can you elaborate?
> The manpage for runcon is so concise as to be obtuse.

I noticed that the processes I started with su -c didn't have the
proper SELinux contexts, so that's why I added the runcon call.  It
sets up the processes to use the same contexts as they would get if I
had logged in as tmz and run them (AFAIK).  Using runuser is very
similar to using su.  I don't know if you'd have any problems using su
instead of runuser or not.  I'm far from knowledgeable on the subject.

> 
> Here is the line in question, in rc.local, that does not now work:
> 
> su gene -c "fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc"
> 
> Can you translate that into a 'runcon' style line please?

Sure.  (No guarantees that this is the best or most correct way. :)

runcon user_u:system_r:unconfined_t -- runuser -l -c "fetchmail -d 90" gene

(I think I'd remove the --fetchmailrc option since ~/.fetchmailrc is
the default and using the -l option to runuser will make the command
run as gene, so ~/.fetchmailrc will be /home/gene/.fetchmailrc.  But
that shouldn't matter at all in regards to SELinux.)

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The kind of man who wants the government to adopt and enforce his
ideas is always the kind of man whose ideas are idiotic.
    -- H. L. Mencken

Attachment: pgpyakHP1GR9y.pgp
Description: PGP signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux