From: walid.fakim@cgi.com (Fakim, Walid) Date: Sat, 17 Sep 2016 17:55:31 +0000 Subject: [refpolicy] su failing in init script Message-ID: <67130EC7AFA3FE4E9290B03665B351F402A7E8@SE-EX021.groupinfra.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Guys, I am having an issue with my module where in the application's init script (unfortunately I can't change the script to make it work so that's not an option for me) there is a change of user via the following: === nohup su $APP_USER -c ' set -e echo $$ >appserver.pid exec ../sbin/appserver -Lappserver.log ' >>appserver.log 2>>appserver.log & === I can also see it's failing because I can see in the logs the error comes up as : Password: su: incorrect password == In the audig logs, I see -> type=AVC msg=audit(1474133015.013:80): avc: denied { entrypoint } for pid=1858 comm="nohup" path="/bin/su" dev=dm-0 ino=134991 scontext=system_u:system_r:appserver_sudo_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file type=AVC msg=audit(1474133015.013:80): avc: denied { read open } for pid=1858 comm="nohup" name="su" dev=dm-0 ino=134991 scontext=system_u:system_r:appserver_init_t_init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file type=AVC msg=audit(1474133015.013:80): avc: denied { execute } for pid=1858 comm="nohup" name="su" dev=dm-0 ino=134991 scontext=system_u:system_r:appserver_init_t_init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file === In my module I tried to use the following which I thought should make it work: application_domain(appserver_init_t, appserver_init_exec_t) init_daemon_domain(appserver_init_t, appserver_init_exec_t) sudo_role_template(appserver_init, system_r, appserver_init_t) type_transition appserver_init_t su_exec_t:process appserver_init_sudo_t; sudo_exec(appserver_init_t) domain_subj_id_change_exemption(appserver_init_t) domain_system_change_exemption(appserver_init_t) ############### Some of the above is probably overkill but am clutching at straws at the moment. Any thoughts or comments please?/// Thanks. Best Regards, Walid Fakim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160917/68b6d278/attachment.html