How to get "su" to work in init scripts in Red Hat 8 with SELinux?

Question

In an init script I'm trying to run a command:

su - user -c "/home/user/bin/command”

but SELinux prevents this:

systemd[1]: Starting LSB: Start the my_script at boot...
su[5941]: pam_unix(su-l:auth): auth could not identify password for [user]
su[5941]: FAILED SU (to user) root on none
my_script[5939]: Password: Password: su: Authentication has failed

I've applied setsebool -P domain_can_mmap_files 1, and also generated and applied policy with ausearch -c 'su' --raw | audit2allow -M my-su:

module my-su 1.0;

require {
    type init_t;
    type su_exec_t;
    class file map;
}

#============= init_t ==============

allow init_t su_exec_t:file map;

I'm getting a message in /var/log/audit.log:

type=USER_AVC msg=audit(1607611267.156:176): pid=6376 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { rootok } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=passwd permissive=0  exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"

and subsequent use of ausearch […] does not generate proper policy.

Has anyone managed to solve a similar problem?

score 0 · Accepted Answer · answered Dec 11 '20 at 08:23

Just found the solution, there was allow init_t self:passwd rootok; missing. Valid policy is as follows:

module my-su 1.0;

require {
    type init_t;
    type su_exec_t;
    class file map;
    class passwd rootok;
}

#============= init_t ==============

allow init_t su_exec_t:file map;
allow init_t self:passwd rootok;

How to get "su" to work in init scripts in Red Hat 8 with SELinux?

1 Answers1