Re: [gentoo-hardened] su and newrole do not work from normal user account - gentoo-hardened

From:	Ned Ludd <solar@g.o>
To:	Peter Buettner <pb@××××××××××××.de>
Cc:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] su and newrole do not work from normal user account
Date:	Thu, 09 Sep 2004 17:33:55
Message-Id:	`1094751210.9661.1645.camel@simple`
In Reply to:	[gentoo-hardened] su and newrole do not work from normal user account by Peter Buettner

1

In the future please try to remember to prefix selinux threads with the

2

subject line of (selinux) or the likes. The hardened project has many

3

sub-projects and our developmnet time is a precious thing.

4

5

The same would and should apply for the (grsec) & (rsbac) users.

6

7

thanks in advance.

8

9

On Thu, 2004-09-09 at 11:43, Peter Buettner wrote:

10

> Hello,

11

>

12

> I performed a stage1 install from the hardened gentoo CD. Installation works fine and without problems.

13

>

14

> But with the loaded policy it is not possible to do newrole -r or su - from normal user account.

15

>

16

>

17

> sysop@access sysop $ newrole -r sysadm_r

18

> Authenticating sysop.

19

> Password:

20

> newrole: incorrect password for sysop

21

>

22

> sysop@access sysop $ su -

23

> Password:

24

> su: Authentication failure

25

> Sorry.

26

>

27

> Is this the normal behavior of the policy or have i done something wrong?

28

>

29

> How can i change this behavior if all is right?

30

>

31

> I have tried a different default_contexts file, but the behavior did not change.

32

>

33

> I am used to disable root access in sshd so that i have to login as normal user and su to root for administration.

34

>

35

> Some settings:

36

>

37

> access policy # uname -a

38

> Linux access 2.6.5-hardened-r5 #3 SMP Thu Jun 24 14:33:31 CEST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux

39

>

40

> users:

41

>

42

> # seuser

43

> # This file created automatically by seuser on Thu Jul 29 14:52:17 2004

44

>

45

> #

46

> # user file

47

>

48

> user system_u roles { system_r } ;

49

> user user_u roles { user_r } ;

50

> user root roles { sysadm_r staff_r } ;

51

> user sysop roles { sysadm_r staff_r } ;

52

> user sudevel roles { staff_r user_r } ;

53

> user test roles { user_r staff_r } ;

54

> user operator roles { user_r staff_r };

55

>

56

> default_contexts:

57

>

58

> system_r:sulogin_t      sysadm_r:sysadm_t

59

> system_r:local_login_t  staff_r:staff_t user_r:user_t sysadm_r:sysadm_t

60

> system_r:remote_login_t user_r:user_t staff_r:staff_t

61

> system_r:sshd_t         user_r:user_t staff_r:staff_t

62

> system_r:crond_t        user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mai$

63

> system_r:xdm_t          staff_r:staff_t user_r:user_t sysadm_r:sysadm_t

64

> staff_r:staff_su_t      staff_r:staff_t user_r:user_t sysadm_r:sysadm_t

65

> sysadm_r:sysadm_su_t    staff_r:staff_t user_r:user_t sysadm_r:sysadm_t

66

> user_r:user_su_t        staff_r:staff_t user_r:user_t sysadm_r:sysadm_t

67

> sysadm_r:sudo_t         sysadm_r:sysadm_t

68

> staff_r:sudo_t          sysadm_r:sysadm_t staff_r:staff_t

69

> user_r:sudo_t           sysadm_r:sysadm_t user_r:user_t

70

>

71

>

72

> sestatus -v:

73

>

74

> access security # sestatus -v

75

> SELinux status:         enabled

76

> SELinuxfs mount:        /selinux

77

> Current mode:           permissive

78

> Policy version:         17

79

>

80

> Policy booleans:

81

> user_ping               inactive

82

>

83

> Process contexts:

84

> Current context:        root:sysadm_r:sysadm_t

85

> Init context:           system_u:system_r:init_t

86

> /sbin/agetty            system_u:system_r:getty_t

87

> /usr/sbin/sshd          system_u:system_r:sshd_t

88

>

89

> File contexts:

90

> Controlling term:       root:object_r:sysadm_devpts_t

91

> /etc/passwd             system_u:object_r:etc_t

92

> /etc/shadow             system_u:object_r:shadow_t

93

> /bin/bash               system_u:object_r:shell_exec_t

94

> /bin/login              system_u:object_r:login_exec_t

95

> /bin/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t

96

> /sbin/agetty            system_u:object_r:getty_exec_t

97

> /sbin/init              system_u:object_r:init_exec_t

98

> /usr/sbin/sshd          system_u:object_r:sshd_exec_t

99

> /lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t

100

> /lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:ld_so_t

101

>

102

>

103

> Thank you for any help.

104

>

105

>

106

>

107

> Mit freundlichen Grüßen

108

>

109

> Peter Büttner

110

>

111

>

112

> -------------------------------------------------

113

> Personal WLAN GmbH     http://www.personalwlan.de

114

> Große Elbstraße 145a

115

> 22767 Hamburg

116

>

117

> Tel.: 040/888855-25

118

> Fax : 040/888855-55

119

> Mail: pb@××××××××××××.de

120

> -------------------------------------------------

121

>

122

>

123

>

124

>

125

>

126

>

127

>

128

>

129

>

130

> --

131

> gentoo-hardened@g.o mailing list

132

--

133

Ned Ludd <solar@g.o>

134

Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer

Gentoo Archives: gentoo-hardened

Attachments

1	In the future please try to remember to prefix selinux threads with the
2	subject line of (selinux) or the likes. The hardened project has many
3	sub-projects and our developmnet time is a precious thing.
4
5	The same would and should apply for the (grsec) & (rsbac) users.
6
7	thanks in advance.
8
9	On Thu, 2004-09-09 at 11:43, Peter Buettner wrote:
10	> Hello,
11	>
12	> I performed a stage1 install from the hardened gentoo CD. Installation works fine and without problems.
13	>
14	> But with the loaded policy it is not possible to do newrole -r or su - from normal user account.
15	>
16	>
17	> sysop@access sysop $ newrole -r sysadm_r
18	> Authenticating sysop.
19	> Password:
20	> newrole: incorrect password for sysop
21	>
22	> sysop@access sysop $ su -
23	> Password:
24	> su: Authentication failure
25	> Sorry.
26	>
27	> Is this the normal behavior of the policy or have i done something wrong?
28	>
29	> How can i change this behavior if all is right?
30	>
31	> I have tried a different default_contexts file, but the behavior did not change.
32	>
33	> I am used to disable root access in sshd so that i have to login as normal user and su to root for administration.
34	>
35	> Some settings:
36	>
37	> access policy # uname -a
38	> Linux access 2.6.5-hardened-r5 #3 SMP Thu Jun 24 14:33:31 CEST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
39	>
40	> users:
41	>
42	> # seuser
43	> # This file created automatically by seuser on Thu Jul 29 14:52:17 2004
44	>
45	> #
46	> # user file
47	>
48	> user system_u roles { system_r } ;
49	> user user_u roles { user_r } ;
50	> user root roles { sysadm_r staff_r } ;
51	> user sysop roles { sysadm_r staff_r } ;
52	> user sudevel roles { staff_r user_r } ;
53	> user test roles { user_r staff_r } ;
54	> user operator roles { user_r staff_r };
55	>
56	> default_contexts:
57	>
58	> system_r:sulogin_t sysadm_r:sysadm_t
59	> system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
60	> system_r:remote_login_t user_r:user_t staff_r:staff_t
61	> system_r:sshd_t user_r:user_t staff_r:staff_t
62	> system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mai$
63	> system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
64	> staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
65	> sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
66	> user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
67	> sysadm_r:sudo_t sysadm_r:sysadm_t
68	> staff_r:sudo_t sysadm_r:sysadm_t staff_r:staff_t
69	> user_r:sudo_t sysadm_r:sysadm_t user_r:user_t
70	>
71	>
72	> sestatus -v:
73	>
74	> access security # sestatus -v
75	> SELinux status: enabled
76	> SELinuxfs mount: /selinux
77	> Current mode: permissive
78	> Policy version: 17
79	>
80	> Policy booleans:
81	> user_ping inactive
82	>
83	> Process contexts:
84	> Current context: root:sysadm_r:sysadm_t
85	> Init context: system_u:system_r:init_t
86	> /sbin/agetty system_u:system_r:getty_t
87	> /usr/sbin/sshd system_u:system_r:sshd_t
88	>
89	> File contexts:
90	> Controlling term: root:object_r:sysadm_devpts_t
91	> /etc/passwd system_u:object_r:etc_t
92	> /etc/shadow system_u:object_r:shadow_t
93	> /bin/bash system_u:object_r:shell_exec_t
94	> /bin/login system_u:object_r:login_exec_t
95	> /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
96	> /sbin/agetty system_u:object_r:getty_exec_t
97	> /sbin/init system_u:object_r:init_exec_t
98	> /usr/sbin/sshd system_u:object_r:sshd_exec_t
99	> /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
100	> /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
101	>
102	>
103	> Thank you for any help.
104	>
105	>
106	>
107	> Mit freundlichen Grüßen
108	>
109	> Peter Büttner
110	>
111	>
112	> -------------------------------------------------
113	> Personal WLAN GmbH http://www.personalwlan.de
114	> Große Elbstraße 145a
115	> 22767 Hamburg
116	>
117	> Tel.: 040/888855-25
118	> Fax : 040/888855-55
119	> Mail: pb@××××××××××××.de
120	> -------------------------------------------------
121	>
122	>
123	>
124	>
125	>
126	>
127	>
128	>
129	>
130	> --
131	> gentoo-hardened@g.o mailing list
132	--
133	Ned Ludd <solar@g.o>
134	Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer