Bug 160662 - su not allowed in an init script
Summary: su not allowed in an init script
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: 4
Hardware: i686 Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL: http://boinc.berkeley.edu/autostart_d...
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-16 14:10 UTC by Markku Kolkka
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-08-25 15:43:28 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Markku Kolkka 2005-06-16 14:10:49 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fi-FI; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
I have been using the "boincctl" script in http://boinc.berkeley.edu/autostart_dennett.txt to start BOINC (http://boinc.berkeley.edu/) at boot in FC2 and FC3 without problems but after upgrading to FC4, the script fails when SELinux is in enforcing mode. Same happens with "service boincctl start" from the command line. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install BOINC and the script in the URL
2. Edit the script and add it to startup with chkconfig
3. Reboot

Actual Results:  On the console:

Starting boinc
su: /bin/bash: Permission denied

In the system log:

audit(1118913920.599:2): avc:  denied  { transition } for  pid=2184 comm="su" name=bash dev=dm-0 ino=45101 scontext=system_u:system_r:initrc_t tcontext=user_u:system_r:unconfined_t tclass=process

Expected Results:  Console shows:
Starting boinc              [OK]

Additional info:

Startup succeeds with SELinux in permissive mode.

Comment 1 Daniel Walsh 2005-06-16 20:34:52 UTC
Does it work if you use 

runuser as opposed to su?


Comment 2 Markku Kolkka 2005-06-16 21:28:06 UTC
Yes, replacing su with runuser works.

Note You need to log in before you can comment on or make changes to this bug.