SELinux newbie help please
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 9 15:48:11 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/09/2012 07:24 AM, Alain Williams wrote:
> On Fri, Jan 06, 2012 at 09:47:09AM -0500, Edward Ned Harvey wrote:
>>> From: selinux-bounces at lists.fedoraproject.org [mailto:selinux-
>>> bounces at lists.fedoraproject.org] On Behalf Of Alain Williams
>>>
>>> I want one user to, on login, run a script setuid root -- it
>>> needs to be able to read all files in one part of the file
>>> system to back that part up to an externally mounted USB
>>> drive.
>>>
>>> I have a small setuid root program (written in C) that just
>>> runs the shell script.
>>
>> This doesn't sound like a selinux thing. It sounds like you
>> should probably just use sudo. You should be able to add the
>> "sudo /path/to/some/script" into your .bash_login or something
>> like that.
>>
>> Sudo is a setuid root program (written in C) that allows you to
>> run other things as other users. It's highly stable and secure,
>> probably much more reliable and secure than the average homegrown
>> C setuid root program. ;-)
>>
>> You can configure sudo using the "visudo" command as root. You
>> can configure the behavior you want by adding a line like this:
>> awilliam ALL=(ALL) NOPASSWD: /path/to/some/script
>
> This is what my workaround is. However: I would like to work out
> how to do it directly by writing selinux rules/... - the purpose is
> as much to teach me how to do things with selinux as to achive the
> end result.
>
> So: back to my original question ....
>
I would say that there is nothing about SELinux that should block your
access. Since you are logging in as unconfined_t, you should be able
to execute setuid apps. I would make sure your stuff is working with
SELinux in permissive mode, before determining whether SELinux is
blocking access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8LDDsACgkQrlYvE4MpobOsfQCeJV2azFqUymM3hrI/F2++PxVm
F+cAoLxjL+6omraMEROe1RlG0QVKFBFd
=f9gK
-----END PGP SIGNATURE-----
More information about the selinux
mailing list