su user -c problem

Todd Zullinger tmz at pobox.com
Sun Jan 6 22:06:31 UTC 2008 

Gene Heskett wrote:
>>I've got similar things in /etc/rc.local that used to use su -c.  I
>>don't recall having them get denied outright, but the programs that
>>were run definitely didn't pick up the proper SELinux contexts.  So I
>>now have a few entries like this:
>>
>>runcon user_u:system_r:unconfined_t -- runuser -l -c "screen -dm" tmz
> 
> I'm afraid I have pretty close to a NDI what that will do, Todd.
> And your use of the words 'used to' above also tells be your are
> doing this su user -c function differently now.  Can you elaborate?
> The manpage for runcon is so concise as to be obtuse.

I noticed that the processes I started with su -c didn't have the
proper SELinux contexts, so that's why I added the runcon call.  It
sets up the processes to use the same contexts as they would get if I
had logged in as tmz and run them (AFAIK).  Using runuser is very
similar to using su.  I don't know if you'd have any problems using su
instead of runuser or not.  I'm far from knowledgeable on the subject.

> 
> Here is the line in question, in rc.local, that does not now work:
> 
> su gene -c "fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc"
> 
> Can you translate that into a 'runcon' style line please?

Sure.  (No guarantees that this is the best or most correct way. :)

runcon user_u:system_r:unconfined_t -- runuser -l -c "fetchmail -d 90" gene

(I think I'd remove the --fetchmailrc option since ~/.fetchmailrc is
the default and using the -l option to runuser will make the command
run as gene, so ~/.fetchmailrc will be /home/gene/.fetchmailrc.  But
that shouldn't matter at all in regards to SELinux.)

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The kind of man who wants the government to adopt and enforce his
ideas is always the kind of man whose ideas are idiotic.
    -- H. L. Mencken

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080106/a399b9fe/attachment.sig>

More information about the fedora-selinux-list mailing list