Getting su to work in init scripts

getting-su-to-work-in-init-scripts

Sven Vermeulen Mon 14 September 2015

While developing an init script which has to switch user, I got a couple of errors from SELinux and the system itself:

~# rc-service hadoop-namenode format
Authenticating root.
 * Formatting HDFS ...
su: Authentication service cannot retrieve authentication info
(Ignored)

The authentication log shows entries such as the following:

Sep 14 20:20:05 localhost unix_chkpwd[5522]: could not obtain user info (hdfs)

I've always had issues with getting su to work properly again. Now that I have what I think is a working set, let me document it for later (as I still need to review why they are needed):

# Allow initrc_t to use unix_chkpwd to check entries
# Without it gives the retrieval failure
auth_domtrans_chk_passwd(initrc_t)

# Allow initrc_t to query selinux access, otherwise avc assertion
allow initrc_t self:netlink_selinux_socket { bind create read };
selinux_compute_access_vector(initrc_t)

# Allow initrc_t to honor the pam_rootok setting
allow initrc_t self:passwd { passwd rootok };

With these SELinux rules, switching the user works as expected from within an init script.