1 |
Probably something I don't have tweaked just right, but a while ago when |
2 |
I tried to sudo it failed. I built this system at least 6 months ago |
3 |
and followed the procedures that were posted at that time, but then |
4 |
wasn't able to work towards putting SELinux in enforcing mode until this |
5 |
past week. |
6 |
|
7 |
sudo: unable to get default type for role sysadm_r |
8 |
sudo: unable to execute /bin/bash: Invalid argument |
9 |
|
10 |
I tried again after running newrole to switch to sysadm_r, but got the |
11 |
same result. |
12 |
|
13 |
The denials in the logs were: |
14 |
|
15 |
Oct 26 09:19:45 iax sudo: stan : TTY=pts/1 ; PWD=/home/stan ; |
16 |
USER=root ; COMMAND=/bin/bash |
17 |
Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session opened |
18 |
for user root by stan(uid=0) |
19 |
Oct 26 09:19:45 iax kernel: type=1400 audit(1351264785.307:8824410): |
20 |
avc: denied { read } for pid=20130 comm="sudo" name="default_type" |
21 |
dev="sda3" ino=6717702 scontext=stan:staff_r:staff_sudo_t |
22 |
tcontext=system_u:object_r:default_context_t tclass=file |
23 |
Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session closed |
24 |
for user root |
25 |
|
26 |
find / -inum 6717702 |
27 |
/etc/selinux/strict/contexts/default_type |
28 |
|
29 |
I checked and indeed none of the sudo types have permissions for that |
30 |
file and I don't see any booleans to change it either, so what am I missing? |
31 |
|
32 |
sesearch -t default_context_t -c file -ACd |
33 |
Found 19 semantic av rules: |
34 |
allow initrc_t default_context_t : file { ioctl read getattr lock |
35 |
open } ; |
36 |
allow run_init_t default_context_t : file { ioctl read getattr lock |
37 |
open } ; |
38 |
allow useradd_t default_context_t : file { ioctl read getattr lock |
39 |
open } ; |
40 |
allow sysadm_dbusd_t default_context_t : file { ioctl read getattr |
41 |
lock open } ; |
42 |
allow system_dbusd_t default_context_t : file { ioctl read getattr |
43 |
lock open } ; |
44 |
allow sulogin_t default_context_t : file { ioctl read getattr lock |
45 |
open } ; |
46 |
allow staff_dbusd_t default_context_t : file { ioctl read getattr |
47 |
lock open } ; |
48 |
allow local_login_t default_context_t : file { ioctl read getattr |
49 |
lock open } ; |
50 |
allow sysadm_t default_context_t : file { ioctl read getattr lock |
51 |
open } ; |
52 |
allow setfiles_t default_context_t : file { ioctl read getattr lock |
53 |
open } ; |
54 |
allow user_dbusd_t default_context_t : file { ioctl read getattr lock |
55 |
open } ; |
56 |
allow sshd_t default_context_t : file { ioctl read getattr lock open } ; |
57 |
allow semanage_t default_context_t : file { ioctl read write create |
58 |
getattr setattr lock append unlink link rename open } ; |
59 |
allow staff_t default_context_t : file { ioctl read getattr lock open |
60 |
} ; |
61 |
allow newrole_t default_context_t : file { ioctl read getattr lock |
62 |
open } ; |
63 |
allow nscd_t default_context_t : file { ioctl read getattr lock open } ; |
64 |
allow udev_t default_context_t : file { ioctl read getattr lock open } ; |
65 |
allow crond_t default_context_t : file { ioctl read getattr lock open |
66 |
} ; |
67 |
allow user_t default_context_t : file { ioctl read getattr lock open } ; |
68 |
|
69 |
-- |
70 |
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR |
71 |
PR - Cindy and Jenny - Sammamish, WA NWR |
72 |
http://www.cci.org |