SELinux newbie help please

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/05/2012 10:42 AM, Alain Williams wrote:
> I am building a new machine and am trying very hard to not do as I
> have done before and switch selinux off. I am having problems
> getting things to work.
> 
> I want one user to, on login, run a script setuid root -- it needs
> to be able to read all files in one part of the file system to back
> that part up to an externally mounted USB drive.
> 
> I have a small setuid root program (written in C) that just runs
> the shell script.
> 
> 1) Making that setuid prgram user's login shell does not work. I
> could not see what to do.
> 
> so I tried an intermediate step.
> 
Why not use sudo?  All of the code should work if he executed sudo.

> 2) Giving the user a standard bash login shell, then running the
> setuid root program at the command line does not do what I want. I
> put 'id' at the start of the script and got:
> 
> uid=501(backup) gid=502(backup) groups=502(backup)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> 
> I was expecting to see a 'uid=0'. The script then fails since it
> cannot do things that I want it to.
> 
I do not think this would work with SELinux disabled either.  A setuid
app has all capabilities it will not automatically change to UID=0.

> I am running CentOS 6.
> 
> I have done a lot of reading, but end up going round in circles and
> much of what I read seems to be out of date or refer to commands
> that I do not have.
> 
> I understand that I ought to perhaps produce a specific security
> profile for the 'backup' user - but can't see how to start.
> 
> Any pointers would be gratefully received.
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8F7J4ACgkQrlYvE4MpobPLVACg2eUopZszFjVAJtJF+mjRLusN
nuQAnjkZ5MBPbKRPYypGmEJLMM8jr7au
=yyoL
-----END PGP SIGNATURE-----