1 |
On Sat, Jan 21, 2017 at 06:04:51PM +0000, Robert Sharp wrote: |
2 |
> AIM - to be able to su to root and switch off strict mode in case |
3 |
> something goes wrong. I was using newrole but I kept forgetting so I am |
4 |
> trying to use pam_selinux to change the role to sysadm_r. I followed |
5 |
> the instructions given at |
6 |
> [1]http://blog.siphos.be/2013/04/how-logins-get-their-selinux-user-cont |
7 |
> ext/ in general, but I had to do some research to find out how to apply |
8 |
> them for /bin/su. |
9 |
|
10 |
Generally, such a change is best implemented through sudo rather than su. |
11 |
With sudo, you have more control over role and type switching as well |
12 |
(sudo is SELinux-aware, and not just through its PAM support). |
13 |
|
14 |
Would that be an option for you? If not, then let's get into the details of |
15 |
what you are noticing further... |
16 |
|
17 |
> The answer was in su.if, added to the "su_role_template" interface. I |
18 |
> then spent some time figuring out how to get the roles/sysadm module to |
19 |
> use my modified interface (put it in the same directory) and it |
20 |
> generally seemed to work. I got a few extra AVCs but I ended up with |
21 |
> the following: |
22 |
> |
23 |
> optional_policy(` |
24 |
> domain_subj_id_change_exemption($1_su_t) |
25 |
> domain_role_change_exemption($1_su_t) |
26 |
> selinux_validate_context($1_su_t) |
27 |
> selinux_compute_access_vector($1_su_t) |
28 |
> selinux_compute_create_context($1_su_t) |
29 |
> selinux_compute_relabel_context($1_su_t) |
30 |
> selinux_compute_user_contexts($1_su_t) |
31 |
> seutil_read_config($1_su_t) |
32 |
> seutil_read_default_contexts($1_su_t) |
33 |
> userdom_relabelto_user_ptys($1_su_t) |
34 |
> userdom_dontaudit_relabelfrom_user_ptys($1_su_t) |
35 |
> userdom_use_user_ptys($1_su_t) |
36 |
> allow $1_su_t self:process setkeycreate; |
37 |
> allow $1_su_t $3:key manage_key_perms; |
38 |
> ') |
39 |
|
40 |
Note that, with this in place, you might be granting more people than you |
41 |
originally intended to gain certain privileges. |
42 |
|
43 |
> The PROBLEM: I still get two AVCs that I don't think I should be |
44 |
> getting: |
45 |
> |
46 |
> type=PROCTITLE msg=audit(1485020695.038:10367): |
47 |
> proctitle=2F62696E2F7375002D |
48 |
> type=PATH msg=audit(1485020695.038:10367): item=0 name="/dev/pts/3" |
49 |
> inode=6 dev=00:12 mode=020620 ouid=501 ogid=5 rdev=88:03 |
50 |
> obj=staff_u:object_r:user_devpts_t nametype=NORMAL |
51 |
> type=CWD msg=audit(1485020695.038:10367): |
52 |
> cwd="/home/robert/selinux/sysadm" |
53 |
> type=SYSCALL msg=audit(1485020695.038:10367): arch=c000003e |
54 |
> syscall=188 success=yes exit=0 a0=375183c820 a1=3817fb1fcaa |
55 |
> a2=375183bce0 a3=1c items=1 ppid=17744 pid=20374 |
56 |
> auid=4294967295 uid=501 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 |
57 |
> fsgid=0 tty=pts3 |
58 |
> ses=4294967295 comm="su" exe="/bin/su" |
59 |
> subj=staff_u:sysadm_r:sysadm_su_t key=(null) |
60 |
> type=AVC msg=audit(1485020695.038:10367): avc: denied { relabelto |
61 |
> } for pid=20374 comm="su" name="3" dev="devpts" ino=6 |
62 |
> scontext=staff_u:sysadm_r:sysadm_su_t |
63 |
> tcontext=root:object_r:user_devpts_t tclass=chr_file permissive=1 |
64 |
> ---- |
65 |
> type=AVC msg=audit(1485020695.038:10368): avc: denied { create } |
66 |
> for pid=20374 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t |
67 |
> tcontext=root:sysadm_r:sysadm_t tclass=key permissive=1 |
68 |
> |
69 |
> I double checked that I had corresponding rules to allow these: |
70 |
> |
71 |
> # sesearch -s sysadm_su_t -t user_devpts_t -A |
72 |
> allow sysadm_su_t user_devpts_t:chr_file { read getattr write ioctl |
73 |
> relabelto open append }; |
74 |
> |
75 |
> # sesearch -s sysadm_su_t -t sysadm_t -c key -A |
76 |
> allow sysadm_su_t sysadm_t:key { search setattr read create write |
77 |
> link view }; |
78 |
> |
79 |
> So I really cannot see why I am getting these AVCs. I keep looking at |
80 |
> the scripts, the rules and the AVCs to see if I have done something |
81 |
> stupid, but I cannot see it. I have started making fairly arbitrary |
82 |
> changes to see if I can make it go away but I am just wasting time |
83 |
> really. If I cannot figure this out I suspect I will be ditching |
84 |
> pam_selinux and reverting to explicitly issuing newrole. I guess with |
85 |
> strict on I will quickly be reminded that I have forgotten to change |
86 |
> roles anyway. |
87 |
|
88 |
As was mentioned in the thread already, this might be UBAC-related. |
89 |
|
90 |
Wkr, |
91 |
Sven Vermeulen |