FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-13-2008, 12:34 AM
Chuck Anderson
 
Default F9: su and sudo don't work as user

Ok, I thought this was a known issue but I can't seem to find it
mentioned anywhere. I have a F9 system that "su" and "sudo" don't
work on. I noticed that my context was user_u rather than
unconfined_u:


Login on the console as cra:

[cra@system 20:25:34 /home/cra]>id
uid=10002(cra) gid=10002(cra) groups=1000(netops),2011(mirror),10002(cra) context=user_u:user_r:user_t:s0
[cra@system 20:25:36 /home/cra]>su
/bin/su: Permission denied.
[cra@system 20:25:37 /home/cra]>sudo
sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted

So I tried to go in as root and fix the context like this:

Login on the console as root:

[root@system ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 22
Policy from config file: targeted

[root@system ~]# setenforce 0
[root@system ~]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ unconfined_u s0
root root s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023

[root@system ~]# semanage login -m -s unconfined_u root
libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not modify login mapping for root

[root@system ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 22
Policy from config file: targeted

[root@system ~]# setenforce 1
[root@system ~]# exit

But it didn't work as you can see. I'm running these versions:

kernel-2.6.25.4-30.fc9.x86_64
selinux-policy-targeted-3.3.1-64.fc9.noarch

Can someone please help?

Thanks.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-13-2008, 12:26 PM
Stephen Smalley
 
Default F9: su and sudo don't work as user

On Thu, 2008-06-12 at 20:34 -0400, Chuck Anderson wrote:
> Ok, I thought this was a known issue but I can't seem to find it
> mentioned anywhere. I have a F9 system that "su" and "sudo" don't
> work on. I noticed that my context was user_u rather than
> unconfined_u:

They shouldn't work from user_u, as that user identity/role isn't
supposed to be able to use them (unprivileged user).

>
> Login on the console as cra:
>
> [cra@system 20:25:34 /home/cra]>id
> uid=10002(cra) gid=10002(cra) groups=1000(netops),2011(mirror),10002(cra) context=user_u:user_r:user_t:s0
> [cra@system 20:25:36 /home/cra]>su
> /bin/su: Permission denied.
> [cra@system 20:25:37 /home/cra]>sudo
> sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
>
> So I tried to go in as root and fix the context like this:
>
> Login on the console as root:
>
> [root@system ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 22
> Policy from config file: targeted
>
> [root@system ~]# setenforce 0
> [root@system ~]# semanage login -l
>
> Login Name SELinux User MLS/MCS Range
>
> __default__ unconfined_u s0
> root root s0-s0:c0.c1023
> system_u system_u s0-s0:c0.c1023

semanage user -l shows what?

>
> [root@system ~]# semanage login -m -s unconfined_u root
> libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory).
> libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> /usr/sbin/semanage: Could not modify login mapping for root
>
> [root@system ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: enforcing
> Policy version: 22
> Policy from config file: targeted
>
> [root@system ~]# setenforce 1
> [root@system ~]# exit
>
> But it didn't work as you can see. I'm running these versions:
>
> kernel-2.6.25.4-30.fc9.x86_64
> selinux-policy-targeted-3.3.1-64.fc9.noarch
>
> Can someone please help?
>
> Thanks.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-13-2008, 02:09 PM
Chuck Anderson
 
Default F9: su and sudo don't work as user

On Fri, Jun 13, 2008 at 08:26:30AM -0400, Stephen Smalley wrote:
> They shouldn't work from user_u, as that user identity/role isn't
> supposed to be able to use them (unprivileged user).

Right, I was trying to fix that, and apparently failed.

> > [root@system ~]# semanage login -l
> >
> > Login Name SELinux User MLS/MCS Range
> >
> > __default__ unconfined_u s0
> > root root s0-s0:c0.c1023
> > system_u system_u s0-s0:c0.c1023
>
> semanage user -l shows what?

I didn't know there was a "user" in addition to "login":

# semanage user -l

Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles

root unconfined s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r
staff_u staff s0 s0-s0:c0.c1023 system_r staff_r sysadm_r
sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
user_u user s0 s0 user_r

Now it seems obvious--I'm missing the unconfined_u user.

Comparing this to a working F9 system:

Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles

guest_u guest s0 s0 guest_r
root user s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r
staff_u user s0 s0-s0:c0.c1023 system_r staff_r sysadm_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
unconfined_u unconfined s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u xguest s0 s0 xguest_r

How do I fix this?

Thanks.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-13-2008, 02:21 PM
Stephen Smalley
 
Default F9: su and sudo don't work as user

On Fri, 2008-06-13 at 10:09 -0400, Chuck Anderson wrote:
> On Fri, Jun 13, 2008 at 08:26:30AM -0400, Stephen Smalley wrote:
> > They shouldn't work from user_u, as that user identity/role isn't
> > supposed to be able to use them (unprivileged user).
>
> Right, I was trying to fix that, and apparently failed.
>
> > > [root@system ~]# semanage login -l
> > >
> > > Login Name SELinux User MLS/MCS Range
> > >
> > > __default__ unconfined_u s0
> > > root root s0-s0:c0.c1023
> > > system_u system_u s0-s0:c0.c1023
> >
> > semanage user -l shows what?
>
> I didn't know there was a "user" in addition to "login":
>
> # semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range SELinux Roles
>
> root unconfined s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r
> staff_u staff s0 s0-s0:c0.c1023 system_r staff_r sysadm_r
> sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r
> system_u user s0 s0-s0:c0.c1023 system_r
> user_u user s0 s0 user_r
>
> Now it seems obvious--I'm missing the unconfined_u user.
>
> Comparing this to a working F9 system:
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range SELinux Roles
>
> guest_u guest s0 s0 guest_r
> root user s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r
> staff_u user s0 s0-s0:c0.c1023 system_r staff_r sysadm_r
> sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
> system_u user s0 s0-s0:c0.c1023 system_r
> unconfined_u unconfined s0 s0-s0:c0.c1023 system_r unconfined_r
> user_u user s0 s0 user_r
> xguest_u xguest s0 s0 xguest_r
>
> How do I fix this?

Looks like the same problem reported by Kayvan (Weird SELinux problem
after upgrade to F9).

semanage user -a -P user -R "unconfined_r system_r" -rs0-s0:c0.c1023 unconfined_u

semanage user acts on SELinux users, i.e. users defined in the kernel
policy, which these days are used as "authorized role sets" rather than
individual users. semanage login acts on Linux users, who are then
mapped to SELinux users in policy.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 02:22 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org