1 |
On many "normal" sudo commands like: |
2 |
- tail /var/log/messages (accessing logs) |
3 |
- editing system files (/etc, /boot) |
4 |
i can see "denied" in /var/log/avc.log: |
5 |
-------------- |
6 |
# tail /var/log/messages |
7 |
Jun 10 16:56:02 bambo audit(1181487362.824:1013): avc: denied { |
8 |
execute_no_trans } for pid=24622 comm="sudo" name="tail" dev=sda5 ino=6264 |
9 |
scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:bin_t tclass=file |
10 |
Jun 10 16:56:02 bambo audit(1181487362.824:1014): avc: denied { read } for |
11 |
pid=24622 comm="sudo" name="tail" dev=sda5 ino=6264 |
12 |
scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:bin_t tclass=file |
13 |
Jun 10 16:59:02 bambo audit(1181487542.218:1015): avc: denied { read } for |
14 |
pid=24626 comm="tail" name="messages" dev=sda7 ino=178336 |
15 |
scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:var_log_t |
16 |
tclass=file |
17 |
Jun 10 16:59:02 bambo audit(1181487542.218:1016): avc: denied { getattr } |
18 |
for pid=24626 comm="tail" name="messages" dev=sda7 ino=178336 |
19 |
scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:var_log_t |
20 |
tclass=file |
21 |
-------------- |
22 |
# vi /boot/grub/grub.conf |
23 |
Jun 10 17:00:38 bambo audit(1181487638.555:1017): avc: denied { search } for |
24 |
pid=24869 comm="vi" name="/" dev=sda1 ino=2 |
25 |
scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t tclass=dir |
26 |
Jun 10 17:00:38 bambo audit(1181487638.571:1018): avc: denied { getattr } |
27 |
for pid=24869 comm="vi" name="grub.conf" dev=sda1 ino=4040 |
28 |
scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t |
29 |
tclass=file |
30 |
Jun 10 17:00:38 bambo audit(1181487638.659:1019): avc: denied { write } for |
31 |
pid=24869 comm="vi" name="grub.conf" dev=sda1 ino=4040 |
32 |
scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t |
33 |
tclass=file |
34 |
-------------- |
35 |
|
36 |
Performing these tasks from root acount: |
37 |
-------------- |
38 |
# vi /boot/grub/grub.conf |
39 |
Jun 10 17:16:28 bambo audit(1181488588.761:1083): avc: denied { read } for |
40 |
pid=25719 comm="ls" name="boot" dev=sda1 ino=14 |
41 |
scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=lnk_file |
42 |
Jun 10 17:16:43 bambo audit(1181488603.486:1084): avc: denied { write } for |
43 |
pid=25720 comm="vi" name="grub.conf" dev=sda1 ino=4040 |
44 |
scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=file |
45 |
Jun 10 17:16:43 bambo audit(1181488603.486:1085): avc: denied { read } for |
46 |
pid=25720 comm="vi" name="grub.conf" dev=sda1 ino=4040 |
47 |
scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=file |
48 |
Jun 10 17:16:43 bambo audit(1181488603.486:1086): avc: denied { write } for |
49 |
pid=25720 comm="vi" name="grub" dev=sda1 ino=4017 |
50 |
scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=dir |
51 |
-------------- |
52 |
|
53 |
These are only examples - almost all my root/sudo actions are denied. Why? |
54 |
What settings or rules I have forgot? Should I explicitly allow |
55 |
"staff_t/staff_sudo_t" access to /boot, /var/log and other important places? |
56 |
I am searching for clues for many hours and "I still haven't found what I'm |
57 |
looking for...". |
58 |
|
59 |
|
60 |
|
61 |
|
62 |
Some detailed info: |
63 |
|
64 |
Gentoo profile: /usr/portage/profiles/selinux/x86/2006.1 |
65 |
sec-policy/selinux-base-policy-20070329 |
66 |
-------------- |
67 |
# sestatus |
68 |
SELinux status: enabled |
69 |
SELinuxfs mount: /selinux |
70 |
Current mode: permissive |
71 |
Mode from config file: permissive |
72 |
Policy version: 21 |
73 |
Policy from config file: strict |
74 |
-------------- |
75 |
# semodule -l |
76 |
clamav 1.2.1 |
77 |
gpm 1.2.1 |
78 |
logrotate 1.4.0 |
79 |
logwatch 1.3.1 |
80 |
munin 1.1.1 |
81 |
mysql 1.3.1 |
82 |
readahead 1.3.0 |
83 |
samba 1.4.3 |
84 |
slocate 1.3.1 |
85 |
smartmon 1.1.1 |
86 |
sudo 1.0.2 |
87 |
sxid 1.1.0 |
88 |
tmpreaper 1.2.0 |
89 |
unconfined 1.5.2 |
90 |
usbmodules 1.1.0 |
91 |
-------------- |
92 |
emerge --info can be found at: |
93 |
http://www.kozik.net.pl/tmp/bambo-emerge.info.txt |
94 |
|
95 |
Sudo commands are run from user with "context=staff_u:staff_r:staff_t" |
96 |
(staff_u has roles "sysadm_r staff_r"). |
97 |
|
98 |
|
99 |
-- |
100 |
Krzysztof Kozłowski |
101 |
http://www.kozik.net.pl |
102 |
|
103 |
|
104 |
-- |
105 |
gentoo-hardened@g.o mailing list |