-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/09/2012 07:24 AM, Alain Williams wrote:
On Fri, Jan 06, 2012 at 09:47:09AM -0500, Edward Ned Harvey wrote:
>> From: selinux-bounces(a)lists.fedoraproject.org [mailto:selinux-
>> bounces(a)lists.fedoraproject.org] On Behalf Of Alain Williams
>>
>> I want one user to, on login, run a script setuid root -- it
>> needs to be able to read all files in one part of the file
>> system to back that part up to an externally mounted USB
>> drive.
>>
>> I have a small setuid root program (written in C) that just
>> runs the shell script.
>
> This doesn't sound like a selinux thing. It sounds like you
> should probably just use sudo. You should be able to add the
> "sudo /path/to/some/script" into your .bash_login or something
> like that.
>
> Sudo is a setuid root program (written in C) that allows you to
> run other things as other users. It's highly stable and secure,
> probably much more reliable and secure than the average homegrown
> C setuid root program. ;-)
>
> You can configure sudo using the "visudo" command as root. You
> can configure the behavior you want by adding a line like this:
> awilliam ALL=(ALL) NOPASSWD: /path/to/some/script
This is what my workaround is. However: I would like to work out
how to do it directly by writing selinux rules/... - the purpose is
as much to teach me how to do things with selinux as to achive the
end result.
So: back to my original question ....
I would say that there is nothing about SELinux that should block your
access. Since you are logging in as unconfined_t, you should be able
to execute setuid apps. I would make sure your stuff is working with
SELinux in permissive mode, before determining whether SELinux is
blocking access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk8LDDsACgkQrlYvE4MpobOsfQCeJV2azFqUymM3hrI/F2++PxVm
F+cAoLxjL+6omraMEROe1RlG0QVKFBFd
=f9gK
-----END PGP SIGNATURE-----