On Monday 07 January 2008, Eric Paris wrote: >On Mon, 2008-01-07 at 03:19 -0500, Gene Heskett wrote: >> On Sunday 06 January 2008, Todd Zullinger wrote: >> >Gene Heskett wrote: >> >>>I've got similar things in /etc/rc.local that used to use su -c. I >> >>>don't recall having them get denied outright, but the programs that >> >>>were run definitely didn't pick up the proper SELinux contexts. So I >> >>>now have a few entries like this: >> >>> >> >>>runcon user_u:system_r:unconfined_t -- runuser -l -c "screen -dm" tmz >> >> >> >> I'm afraid I have pretty close to a NDI what that will do, Todd. >> >> And your use of the words 'used to' above also tells be your are >> >> doing this su user -c function differently now. Can you elaborate? >> >> The manpage for runcon is so concise as to be obtuse. >> > >> >I noticed that the processes I started with su -c didn't have the >> >proper SELinux contexts, so that's why I added the runcon call. It >> >sets up the processes to use the same contexts as they would get if I >> >had logged in as tmz and run them (AFAIK). Using runuser is very >> >similar to using su. I don't know if you'd have any problems using su >> >instead of runuser or not. I'm far from knowledgeable on the subject. >> > >> >> Here is the line in question, in rc.local, that does not now work: >> >> >> >> su gene -c "fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc" >> >> >> >> Can you translate that into a 'runcon' style line please? >> > >> >Sure. (No guarantees that this is the best or most correct way. :) >> > >> >runcon user_u:system_r:unconfined_t -- runuser -l -c "fetchmail -d 90" >> > gene > >for F8 I think it should be "unconfined_u:system_r:unconfined_t" for >rawhide i think it is "unconfined_u:unconfined_r:unconfined_t" and both of those return "invalid context" and fetchmail is not started. >I don't really understand the rest of what you are asking... typically >we on list like to see the output of ausearch -m AVC -ts recent or some >other form of the raw denial (its at the bottom of the setroubleshoot >output) so we actually know what is failing. That output of "ausearch -m AVC -ts recent" is empty, as is the setroubleshoot screen after running rc.local three times just now. The larger problem ATM is that rc.local is NOT being executed at the end of the bootup. And yet: root@coyote ~]# ls -l /etc/rc.d/rc3.d/S99local lrwxrwxrwx 1 root root 11 2008-01-04 22:39 /etc/rc.d/rc3.d/S99local -> ../rc.local and [root@coyote ~]# ls -lZ /etc/rc.d/rc3.d/S99local lrwxrwxrwx root root system_u:object_r:etc_t:s0 /etc/rc.d/rc3.d/S99local -> ../rc.local and [root@coyote ~]# ls -lZ /etc/rc.d/rc.local -rwxr-xr-x root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/rc.local I boot and login at runlevel 3, the everything but X, then run startx by hand. I'm a big dummy maybe, and an old fart, but *I* can run it by using the S99local link exactly the same as it real name, so why doesn't init run it? I should be seeing in my login console, all of this: ------------ [root@coyote ~]# /etc/rc.d/rc.local /root/bin:/usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/usr/local/bin /usr/local/mozilla /usr/lib/qt-3.3 restoring audio settings starting heyu heyu_engine is running - use 'heyu restart' to reconfigure CM11A clock set to Mon, 11:03:52 (Standard Time), Day 6 Emulating macro Dawn_Off at address 1013 heyu started LATITUDE=39:41 LONGITUDE=80:17 starting fetchmail user_u:system_r:unconfined_t is not a valid context starting drift-checker adding shop.coyote.den to xhost access list 5279 ttyUSB0 00:00:00 heyu 5281 ? 00:00:38 heyu 20736 ? 00:00:00 heyu 4097 ? 00:00:04 fetchmail restoreing midi playback to Audigy 2 card setup env for nitros9 development ssh /opt/os9 -------------- But I am not. Thanks Eric. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) "Don't hate me because I'm beautiful. Hate me because I'm beautiful, smart and rich." -- Calvin Keegan -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
