-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/09/2012 07:24 AM, Alain Williams wrote: > On Fri, Jan 06, 2012 at 09:47:09AM -0500, Edward Ned Harvey wrote: >>> From: selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:selinux- >>> bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Alain Williams >>> >>> I want one user to, on login, run a script setuid root -- it >>> needs to be able to read all files in one part of the file >>> system to back that part up to an externally mounted USB >>> drive. >>> >>> I have a small setuid root program (written in C) that just >>> runs the shell script. >> >> This doesn't sound like a selinux thing. It sounds like you >> should probably just use sudo. You should be able to add the >> "sudo /path/to/some/script" into your .bash_login or something >> like that. >> >> Sudo is a setuid root program (written in C) that allows you to >> run other things as other users. It's highly stable and secure, >> probably much more reliable and secure than the average homegrown >> C setuid root program. ;-) >> >> You can configure sudo using the "visudo" command as root. You >> can configure the behavior you want by adding a line like this: >> awilliam ALL=(ALL) NOPASSWD: /path/to/some/script > > This is what my workaround is. However: I would like to work out > how to do it directly by writing selinux rules/... - the purpose is > as much to teach me how to do things with selinux as to achive the > end result. > > So: back to my original question .... > I would say that there is nothing about SELinux that should block your access. Since you are logging in as unconfined_t, you should be able to execute setuid apps. I would make sure your stuff is working with SELinux in permissive mode, before determining whether SELinux is blocking access. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8LDDsACgkQrlYvE4MpobOsfQCeJV2azFqUymM3hrI/F2++PxVm F+cAoLxjL+6omraMEROe1RlG0QVKFBFd =f9gK -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
