Bug 160662 - su not allowed in an init script
su not allowed in an init script
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
http://boinc.berkeley.edu/autostart_d...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-16 10:10 EDT by Markku Kolkka
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-25 11:43:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Markku Kolkka 2005-06-16 10:10:49 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fi-FI; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
I have been using the "boincctl" script in http://boinc.berkeley.edu/autostart_dennett.txt to start BOINC (http://boinc.berkeley.edu/) at boot in FC2 and FC3 without problems but after upgrading to FC4, the script fails when SELinux is in enforcing mode. Same happens with "service boincctl start" from the command line. 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
1. Install BOINC and the script in the URL
2. Edit the script and add it to startup with chkconfig
3. Reboot
  

Actual Results:  On the console:

Starting boinc
su: /bin/bash: Permission denied

In the system log:

audit(1118913920.599:2): avc:  denied  { transition } for  pid=2184 comm="su" name=bash dev=dm-0 ino=45101 scontext=system_u:system_r:initrc_t tcontext=user_u:system_r:unconfined_t tclass=process


Expected Results:  Console shows:
Starting boinc              [OK]


Additional info:

Startup succeeds with SELinux in permissive mode.
Comment 1 Daniel Walsh 2005-06-16 16:34:52 EDT
Does it work if you use 

runuser as opposed to su?

Dan
Comment 2 Markku Kolkka 2005-06-16 17:28:06 EDT
Yes, replacing su with runuser works.

Note You need to log in before you can comment on or make changes to this bug.