su user -c problem

[Eric Paris]

On Mon, 2008-01-07 at 03:19 -0500, Gene Heskett wrote:
> On Sunday 06 January 2008, Todd Zullinger wrote:
> >Gene Heskett wrote:
> >>>I've got similar things in /etc/rc.local that used to use su -c.  I
> >>>don't recall having them get denied outright, but the programs that
> >>>were run definitely didn't pick up the proper SELinux contexts.  So I
> >>>now have a few entries like this:
> >>>
> >>>runcon user_u:system_r:unconfined_t -- runuser -l -c "screen -dm" tmz
> >>
> >> I'm afraid I have pretty close to a NDI what that will do, Todd.
> >> And your use of the words 'used to' above also tells be your are
> >> doing this su user -c function differently now.  Can you elaborate?
> >> The manpage for runcon is so concise as to be obtuse.
> >
> >I noticed that the processes I started with su -c didn't have the
> >proper SELinux contexts, so that's why I added the runcon call.  It
> >sets up the processes to use the same contexts as they would get if I
> >had logged in as tmz and run them (AFAIK).  Using runuser is very
> >similar to using su.  I don't know if you'd have any problems using su
> >instead of runuser or not.  I'm far from knowledgeable on the subject.
> >
> >> Here is the line in question, in rc.local, that does not now work:
> >>
> >> su gene -c "fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc"
> >>
> >> Can you translate that into a 'runcon' style line please?
> >
> >Sure.  (No guarantees that this is the best or most correct way. :)
> >
> >runcon user_u:system_r:unconfined_t -- runuser -l -c "fetchmail -d 90" gene

for F8 I think it should be "unconfined_u:system_r:unconfined_t"  for
rawhide i think it is "unconfined_u:unconfined_r:unconfined_t"

I don't really understand the rest of what you are asking...  typically
we on list like to see the output of ausearch -m AVC -ts recent or some
other form of the raw denial (its at the bottom of the setroubleshoot
output) so we actually know what is failing.

-Eric