Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: stanke <stanke@×××××××.eu>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] newrole -r selinux problem
Date: Mon, 25 Sep 2006 03:36:02
Message-Id: 45174E2E.50906@stankox.eu
In Reply to: Re: [gentoo-hardened] newrole -r selinux problem by Antoine Martin
1 Hello
2
3 Thanks for help, I solved my problem with user_r and sysadm_r it's
4 working ok now, but I have still problem with my cron,
5 Everything (probably) usefull I can find in logs is.
6
7 Could please someone help me or show me the right way i should go.
8
9 Thank you
10
11 Sep 25 05:23:01 gentoo64 cron[24435]: (root) ENTRYPOINT FAILED
12 (crontabs/root)
13
14 Sep 25 05:21:53 gentoo64 audit(1159154513.832:8048): avc: denied {
15 search } for pid=21140 comm="crontab" name="/" dev=dm-3 ino=2
16 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
17 tcontext=system_u:object_r:unlabeled_t tclass=dir
18 Sep 25 05:21:53 gentoo64 audit(1159154513.832:8049): avc: denied {
19 write } for pid=21140 comm="crontab" name="/" dev=dm-3 ino=2
20 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
21 tcontext=system_u:object_r:unlabeled_t tclass=dir
22 Sep 25 05:21:53 gentoo64 audit(1159154513.832:8050): avc: denied {
23 add_name } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
24 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
25 tcontext=system_u:object_r:unlabeled_t tclass=dir
26 Sep 25 05:21:53 gentoo64 audit(1159154513.832:8051): avc: denied {
27 create } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
28 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
29 tcontext=tester:object_r:unlabeled_t tclass=file
30 Sep 25 05:21:53 gentoo64 audit(1159154513.832:8052): avc: denied {
31 associate } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
32 ipaddr=16.14.42.166 scontext=tester:object_r:unlabeled_t
33 tcontext=system_u:object_r:unlabeled_t tclass=filesystem
34 Sep 25 05:21:53 gentoo64 audit(1159154513.832:8053): avc: denied {
35 setattr } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
36 dev=dm-3 ino=58 ipaddr=16.14.42.166
37 scontext=tester:sysadm_r:sysadm_crontab_t
38 tcontext=system_u:object_r:unlabeled_t tclass=file
39 Sep 25 05:21:53 gentoo64 audit(1159154513.832:8054): avc: denied {
40 getattr } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
41 dev=dm-3 ino=58 ipaddr=16.14.42.166
42 scontext=tester:sysadm_r:sysadm_crontab_t
43 tcontext=system_u:object_r:unlabeled_t tclass=file
44 Sep 25 05:21:53 gentoo64 audit(1159154513.844:8055): avc: denied {
45 write } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" dev=dm-3
46 ino=58 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
47 tcontext=system_u:object_r:unlabeled_t tclass=file
48 Sep 25 05:22:02 gentoo64 audit(1159154522.949:8056): avc: denied {
49 read } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" dev=dm-3
50 ino=58 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
51 tcontext=system_u:object_r:unlabeled_t tclass=file
52 Sep 25 05:22:02 gentoo64 audit(1159154522.949:8057): avc: denied {
53 remove_name } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
54 dev=dm-3 ino=58 ipaddr=16.14.42.166
55 scontext=tester:sysadm_r:sysadm_crontab_t
56 tcontext=system_u:object_r:unlabeled_t tclass=dir
57 Sep 25 05:22:02 gentoo64 audit(1159154522.949:8058): avc: denied {
58 unlink } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
59 dev=dm-3 ino=58 ipaddr=16.14.42.166
60 scontext=tester:sysadm_r:sysadm_crontab_t
61 tcontext=system_u:object_r:unlabeled_t tclass=file
62
63
64
65
66 Antoine Martin wrote / napísal(a):
67 >>>> The policy does not allow a role transition from user_r to sysadm_r.
68 >>>> So thats why su can't work.
69 >>>>
70 >>>>
71 >>> The solution in this case is to make sure that when you login as root
72 >>> you get into sysadm_u:sysadm_r:sysadm_t or another context which does
73 >>> allow the transition to sysadm. Setting the default for ssh is fairly
74 >>> well documented.
75 >>>
76 >> Thanks for help could you please send me some link for manuals, i google
77 >> it (probably wrong) but i didn't found nothing usefull.
78 >>
79 > /etc/security/default_contexts
80 > is what you're looking for.
81 >
82 > Antoine
83 >
84 >
85
86 --
87 gentoo-hardened@g.o mailing list

Replies

Subject Author
Re: [gentoo-hardened] newrole -r selinux problem lunaslide <lunaslide@××.org>
Report Message
Find on MARC Find on Google Groups