su user -c problem

Gene Heskett gene.heskett at verizon.net
Mon Jan 7 16:23:20 UTC 2008 

On Monday 07 January 2008, Eric Paris wrote:
>On Mon, 2008-01-07 at 03:19 -0500, Gene Heskett wrote:
>> On Sunday 06 January 2008, Todd Zullinger wrote:
>> >Gene Heskett wrote:
>> >>>I've got similar things in /etc/rc.local that used to use su -c.  I
>> >>>don't recall having them get denied outright, but the programs that
>> >>>were run definitely didn't pick up the proper SELinux contexts.  So I
>> >>>now have a few entries like this:
>> >>>
>> >>>runcon user_u:system_r:unconfined_t -- runuser -l -c "screen -dm" tmz
>> >>
>> >> I'm afraid I have pretty close to a NDI what that will do, Todd.
>> >> And your use of the words 'used to' above also tells be your are
>> >> doing this su user -c function differently now.  Can you elaborate?
>> >> The manpage for runcon is so concise as to be obtuse.
>> >
>> >I noticed that the processes I started with su -c didn't have the
>> >proper SELinux contexts, so that's why I added the runcon call.  It
>> >sets up the processes to use the same contexts as they would get if I
>> >had logged in as tmz and run them (AFAIK).  Using runuser is very
>> >similar to using su.  I don't know if you'd have any problems using su
>> >instead of runuser or not.  I'm far from knowledgeable on the subject.
>> >
>> >> Here is the line in question, in rc.local, that does not now work:
>> >>
>> >> su gene -c "fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc"
>> >>
>> >> Can you translate that into a 'runcon' style line please?
>> >
>> >Sure.  (No guarantees that this is the best or most correct way. :)
>> >
>> >runcon user_u:system_r:unconfined_t -- runuser -l -c "fetchmail -d 90"
>> > gene
>
>for F8 I think it should be "unconfined_u:system_r:unconfined_t"  for
>rawhide i think it is "unconfined_u:unconfined_r:unconfined_t"

and both of those return "invalid context" and fetchmail is not started.

>I don't really understand the rest of what you are asking...  typically
>we on list like to see the output of ausearch -m AVC -ts recent or some
>other form of the raw denial (its at the bottom of the setroubleshoot
>output) so we actually know what is failing.

That output of "ausearch -m AVC -ts recent" is empty, as is the
setroubleshoot screen after running rc.local three times just now.

The larger problem ATM is that rc.local is NOT being executed at the
end of the bootup.  And yet:

root at coyote ~]# ls -l /etc/rc.d/rc3.d/S99local
lrwxrwxrwx 1 root root 11 2008-01-04 22:39 /etc/rc.d/rc3.d/S99local -> ../rc.local

and
[root at coyote ~]# ls -lZ /etc/rc.d/rc3.d/S99local
lrwxrwxrwx  root root system_u:object_r:etc_t:s0 /etc/rc.d/rc3.d/S99local -> ../rc.local

and
[root at coyote ~]# ls -lZ /etc/rc.d/rc.local
-rwxr-xr-x  root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/rc.local

I boot and login at runlevel 3, the everything but X, then run startx by hand.
I'm a big dummy maybe, and an old fart, but *I* can run it by using the
S99local link exactly the same as it real name, so why doesn't init run it?

I should be seeing in my login console, all of this:
------------
[root at coyote ~]# /etc/rc.d/rc.local
/root/bin:/usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/usr/local/bin
/usr/local/mozilla /usr/lib/qt-3.3
restoring audio settings
starting heyu
heyu_engine is running - use 'heyu restart' to reconfigure
CM11A clock set to Mon, 11:03:52 (Standard Time), Day 6
Emulating macro Dawn_Off at address 1013
heyu started
LATITUDE=39:41 LONGITUDE=80:17
starting fetchmail
user_u:system_r:unconfined_t is not a valid context
starting drift-checker
adding shop.coyote.den to xhost access list
 5279 ttyUSB0  00:00:00 heyu
 5281 ?        00:00:38 heyu
20736 ?        00:00:00 heyu
 4097 ?        00:00:04 fetchmail
restoreing midi playback to Audigy 2 card
setup env for nitros9 development
ssh
/opt/os9
--------------
But I am not.

Thanks Eric.



-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
"Don't hate me because I'm beautiful.  Hate me because I'm beautiful, smart 
and rich."
-- Calvin Keegan

More information about the fedora-selinux-list mailing list