On Monday 07 January 2008, Eric Paris wrote:
>On Mon, 2008-01-07 at 03:19 -0500, Gene Heskett wrote:
>> On Sunday 06 January 2008, Todd Zullinger wrote:
>> >Gene Heskett wrote:
>> >>>I've got similar things in /etc/rc.local that used to use su -c. I
>> >>>don't recall having them get denied outright, but the programs that
>> >>>were run definitely didn't pick up the proper SELinux contexts. So I
>> >>>now have a few entries like this:
>> >>>runcon user_u:system_r:unconfined_t -- runuser -l -c "screen -dm" tmz
>> >> I'm afraid I have pretty close to a NDI what that will do, Todd.
>> >> And your use of the words 'used to' above also tells be your are
>> >> doing this su user -c function differently now. Can you elaborate?
>> >> The manpage for runcon is so concise as to be obtuse.
>> >I noticed that the processes I started with su -c didn't have the
>> >proper SELinux contexts, so that's why I added the runcon call. It
>> >sets up the processes to use the same contexts as they would get if I
>> >had logged in as tmz and run them (AFAIK). Using runuser is very
>> >similar to using su. I don't know if you'd have any problems using su
>> >instead of runuser or not. I'm far from knowledgeable on the subject.
>> >> Here is the line in question, in rc.local, that does not now work:
>> >> su gene -c "fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc"
>> >> Can you translate that into a 'runcon' style line please?
>> >Sure. (No guarantees that this is the best or most correct way.
>> >runcon user_u:system_r:unconfined_t -- runuser -l -c "fetchmail -d 90"
>> > gene
>for F8 I think it should be "unconfined_u:system_r:unconfined_t" for
>rawhide i think it is "unconfined_u:unconfined_r:unconfined_t"
and both of those return "invalid context" and fetchmail is not started.
>I don't really understand the rest of what you are asking... typically
>we on list like to see the output of ausearch -m AVC -ts recent or some
>other form of the raw denial (its at the bottom of the setroubleshoot
>output) so we actually know what is failing.
That output of "ausearch -m AVC -ts recent" is empty, as is the
setroubleshoot screen after running rc.local three times just now.
The larger problem ATM is that rc.local is NOT being executed at the
end of the bootup. And yet:
root@coyote ~]# ls -l /etc/rc.d/rc3.d/S99local
lrwxrwxrwx 1 root root 11 2008-01-04 22:39 /etc/rc.d/rc3.d/S99local -> ../rc.local
[root@coyote ~]# ls -lZ /etc/rc.d/rc3.d/S99local
lrwxrwxrwx root root system_u
bject_r:etc_t:s0 /etc/rc.d/rc3.d/S99local -> ../rc.local
[root@coyote ~]# ls -lZ /etc/rc.d/rc.local
-rwxr-xr-x root root system_u
I boot and login at runlevel 3, the everything but X, then run startx by hand.
I'm a big dummy maybe, and an old fart, but *I* can run it by using the
S99local link exactly the same as it real name, so why doesn't init run it?
I should be seeing in my login console, all of this:
[root@coyote ~]# /etc/rc.d/rc.local
restoring audio settings
heyu_engine is running - use 'heyu restart' to reconfigure
CM11A clock set to Mon, 11:03:52 (Standard Time), Day 6
Emulating macro Dawn_Off at address 1013
user_u:system_r:unconfined_t is not a valid context
adding shop.coyote.den to xhost access list
5279 ttyUSB0 00:00:00 heyu
5281 ? 00:00:38 heyu
20736 ? 00:00:00 heyu
4097 ? 00:00:04 fetchmail
restoreing midi playback to Audigy 2 card
setup env for nitros9 development
But I am not.
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
"Don't hate me because I'm beautiful. Hate me because I'm beautiful, smart
-- Calvin Keegan
fedora-selinux-list mailing list