On Mon, 2008-01-07 at 03:19 -0500, Gene Heskett wrote: > On Sunday 06 January 2008, Todd Zullinger wrote: > >Gene Heskett wrote: > >>>I've got similar things in /etc/rc.local that used to use su -c. I > >>>don't recall having them get denied outright, but the programs that > >>>were run definitely didn't pick up the proper SELinux contexts. So I > >>>now have a few entries like this: > >>> > >>>runcon user_u:system_r:unconfined_t -- runuser -l -c "screen -dm" tmz > >> > >> I'm afraid I have pretty close to a NDI what that will do, Todd. > >> And your use of the words 'used to' above also tells be your are > >> doing this su user -c function differently now. Can you elaborate? > >> The manpage for runcon is so concise as to be obtuse. > > > >I noticed that the processes I started with su -c didn't have the > >proper SELinux contexts, so that's why I added the runcon call. It > >sets up the processes to use the same contexts as they would get if I > >had logged in as tmz and run them (AFAIK). Using runuser is very > >similar to using su. I don't know if you'd have any problems using su > >instead of runuser or not. I'm far from knowledgeable on the subject. > > > >> Here is the line in question, in rc.local, that does not now work: > >> > >> su gene -c "fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc" > >> > >> Can you translate that into a 'runcon' style line please? > > > >Sure. (No guarantees that this is the best or most correct way. :) > > > >runcon user_u:system_r:unconfined_t -- runuser -l -c "fetchmail -d 90" gene for F8 I think it should be "unconfined_u:system_r:unconfined_t" for rawhide i think it is "unconfined_u:unconfined_r:unconfined_t" I don't really understand the rest of what you are asking... typically we on list like to see the output of ausearch -m AVC -ts recent or some other form of the raw denial (its at the bottom of the setroubleshoot output) so we actually know what is failing. -Eric -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
