On Fri, Jan 06, 2012 at 09:47:09AM -0500, Edward Ned Harvey wrote: > > From: selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:selinux- > > bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Alain Williams > > > > I want one user to, on login, run a script setuid root -- it needs to be able to > > read all files in one part of the file system to back that part up to an externally > > mounted USB drive. > > > > I have a small setuid root program (written in C) that just runs the shell script. > > This doesn't sound like a selinux thing. It sounds like you should probably just use sudo. You should be able to add the "sudo /path/to/some/script" into your .bash_login or something like that. > > Sudo is a setuid root program (written in C) that allows you to run other things as other users. It's highly stable and secure, probably much more reliable and secure than the average homegrown C setuid root program. ;-) > > You can configure sudo using the "visudo" command as root. You can configure the behavior you want by adding a line like this: > awilliam ALL=(ALL) NOPASSWD: /path/to/some/script This is what my workaround is. However: I would like to work out how to do it directly by writing selinux rules/... - the purpose is as much to teach me how to do things with selinux as to achive the end result. So: back to my original question .... -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include <std_disclaimer.h> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
