| 1 |
Probably something I don't have tweaked just right, but a while ago when |
| 2 |
I tried to sudo it failed. I built this system at least 6 months ago |
| 3 |
and followed the procedures that were posted at that time, but then |
| 4 |
wasn't able to work towards putting SELinux in enforcing mode until this |
| 5 |
past week. |
| 6 |
|
| 7 |
sudo: unable to get default type for role sysadm_r |
| 8 |
sudo: unable to execute /bin/bash: Invalid argument |
| 9 |
|
| 10 |
I tried again after running newrole to switch to sysadm_r, but got the |
| 11 |
same result. |
| 12 |
|
| 13 |
The denials in the logs were: |
| 14 |
|
| 15 |
Oct 26 09:19:45 iax sudo: stan : TTY=pts/1 ; PWD=/home/stan ; |
| 16 |
USER=root ; COMMAND=/bin/bash |
| 17 |
Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session opened |
| 18 |
for user root by stan(uid=0) |
| 19 |
Oct 26 09:19:45 iax kernel: type=1400 audit(1351264785.307:8824410): |
| 20 |
avc: denied { read } for pid=20130 comm="sudo" name="default_type" |
| 21 |
dev="sda3" ino=6717702 scontext=stan:staff_r:staff_sudo_t |
| 22 |
tcontext=system_u:object_r:default_context_t tclass=file |
| 23 |
Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session closed |
| 24 |
for user root |
| 25 |
|
| 26 |
find / -inum 6717702 |
| 27 |
/etc/selinux/strict/contexts/default_type |
| 28 |
|
| 29 |
I checked and indeed none of the sudo types have permissions for that |
| 30 |
file and I don't see any booleans to change it either, so what am I missing? |
| 31 |
|
| 32 |
sesearch -t default_context_t -c file -ACd |
| 33 |
Found 19 semantic av rules: |
| 34 |
allow initrc_t default_context_t : file { ioctl read getattr lock |
| 35 |
open } ; |
| 36 |
allow run_init_t default_context_t : file { ioctl read getattr lock |
| 37 |
open } ; |
| 38 |
allow useradd_t default_context_t : file { ioctl read getattr lock |
| 39 |
open } ; |
| 40 |
allow sysadm_dbusd_t default_context_t : file { ioctl read getattr |
| 41 |
lock open } ; |
| 42 |
allow system_dbusd_t default_context_t : file { ioctl read getattr |
| 43 |
lock open } ; |
| 44 |
allow sulogin_t default_context_t : file { ioctl read getattr lock |
| 45 |
open } ; |
| 46 |
allow staff_dbusd_t default_context_t : file { ioctl read getattr |
| 47 |
lock open } ; |
| 48 |
allow local_login_t default_context_t : file { ioctl read getattr |
| 49 |
lock open } ; |
| 50 |
allow sysadm_t default_context_t : file { ioctl read getattr lock |
| 51 |
open } ; |
| 52 |
allow setfiles_t default_context_t : file { ioctl read getattr lock |
| 53 |
open } ; |
| 54 |
allow user_dbusd_t default_context_t : file { ioctl read getattr lock |
| 55 |
open } ; |
| 56 |
allow sshd_t default_context_t : file { ioctl read getattr lock open } ; |
| 57 |
allow semanage_t default_context_t : file { ioctl read write create |
| 58 |
getattr setattr lock append unlink link rename open } ; |
| 59 |
allow staff_t default_context_t : file { ioctl read getattr lock open |
| 60 |
} ; |
| 61 |
allow newrole_t default_context_t : file { ioctl read getattr lock |
| 62 |
open } ; |
| 63 |
allow nscd_t default_context_t : file { ioctl read getattr lock open } ; |
| 64 |
allow udev_t default_context_t : file { ioctl read getattr lock open } ; |
| 65 |
allow crond_t default_context_t : file { ioctl read getattr lock open |
| 66 |
} ; |
| 67 |
allow user_t default_context_t : file { ioctl read getattr lock open } ; |
| 68 |
|
| 69 |
-- |
| 70 |
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR |
| 71 |
PR - Cindy and Jenny - Sammamish, WA NWR |
| 72 |
http://www.cci.org |
Archives