| 1 |
Hi! |
| 2 |
|
| 3 |
I have a problem with newrole in enforcing mode. I have seen others |
| 4 |
having the same problem when googling for it, but haven't seen any |
| 5 |
solution to it. |
| 6 |
|
| 7 |
I have a user (frja) who is in sysadm_r and staff_r: |
| 8 |
/etc/security/selinux/src/policy/users: |
| 9 |
user frja roles { sysadm_r staff_r }; |
| 10 |
|
| 11 |
I have no problems switching to sysadm_r when in permissive mode, but in |
| 12 |
enforcing mode I get: |
| 13 |
$ newrole -r sysadm_r |
| 14 |
Authenticating frja. |
| 15 |
Password: |
| 16 |
newrole: incorrect password for frja |
| 17 |
|
| 18 |
dmesg: |
| 19 |
avc: denied { siginh } for pid=8009 exe=/usr/bin/newrole |
| 20 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
| 21 |
tclass=process |
| 22 |
|
| 23 |
avc: denied { rlimitinh } for pid=8009 exe=/usr/bin/newrole |
| 24 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
| 25 |
tclass=process |
| 26 |
|
| 27 |
avc: denied { noatsecure } for pid=8009 exe=/usr/bin/newrole |
| 28 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
| 29 |
tclass=process |
| 30 |
|
| 31 |
avc: denied { siginh } for pid=8010 exe=/sbin/unix_chkpwd |
| 32 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
| 33 |
tclass=process |
| 34 |
|
| 35 |
avc: denied { rlimitinh } for pid=8010 exe=/sbin/unix_chkpwd |
| 36 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
| 37 |
tclass=process |
| 38 |
|
| 39 |
avc: denied { noatsecure } for pid=8010 exe=/sbin/unix_chkpwd |
| 40 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
| 41 |
tclass=process |
| 42 |
|
| 43 |
avc: denied { read } for pid=8010 exe=/sbin/unix_chkpwd name=urandom |
| 44 |
dev=hda2 ino=164173 scontext=frja:staff_r:system_chkpwd_t |
| 45 |
tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
| 46 |
|
| 47 |
avc: denied { search } for pid=8010 exe=/sbin/unix_chkpwd name=var |
| 48 |
dev=hda2 ino=912129 scontext=frja:staff_r:system_chkpwd_t |
| 49 |
tcontext=system_u:object_r:var_t tclass=dir |
| 50 |
|
| 51 |
avc: denied { dac_override } for pid=8010 exe=/sbin/unix_chkpwd |
| 52 |
capability=1 scontext=frja:staff_r:system_chkpwd_t |
| 53 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
| 54 |
|
| 55 |
avc: denied { dac_read_search } for pid=8010 exe=/sbin/unix_chkpwd |
| 56 |
capability=2 scontext=frja:staff_r:system_chkpwd_t |
| 57 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
| 58 |
|
| 59 |
avc: denied { dac_override } for pid=8010 exe=/sbin/unix_chkpwd |
| 60 |
capability=1 scontext=frja:staff_r:system_chkpwd_t |
| 61 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
| 62 |
|
| 63 |
avc: denied { dac_read_search } for pid=8010 exe=/sbin/unix_chkpwd |
| 64 |
capability=2 scontext=frja:staff_r:system_chkpwd_t |
| 65 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
| 66 |
|
| 67 |
|
| 68 |
In permissive mode newrole is successful and I still get in dmesg: |
| 69 |
avc: denied { siginh } for pid=8024 exe=/usr/bin/newrole |
| 70 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
| 71 |
tclass=process |
| 72 |
|
| 73 |
avc: denied { rlimitinh } for pid=8024 exe=/usr/bin/newrole |
| 74 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
| 75 |
tclass=process |
| 76 |
|
| 77 |
avc: denied { noatsecure } for pid=8024 exe=/usr/bin/newrole |
| 78 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
| 79 |
tclass=process |
| 80 |
|
| 81 |
avc: denied { siginh } for pid=8025 exe=/sbin/unix_chkpwd |
| 82 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
| 83 |
tclass=process |
| 84 |
|
| 85 |
avc: denied { rlimitinh } for pid=8025 exe=/sbin/unix_chkpwd |
| 86 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
| 87 |
tclass=process |
| 88 |
|
| 89 |
avc: denied { noatsecure } for pid=8025 exe=/sbin/unix_chkpwd |
| 90 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
| 91 |
tclass=process |
| 92 |
|
| 93 |
avc: denied { read } for pid=8025 exe=/sbin/unix_chkpwd name=urandom |
| 94 |
dev=hda2 ino=164173 scontext=frja:staff_r:system_chkpwd_t |
| 95 |
tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
| 96 |
|
| 97 |
avc: denied { search } for pid=8025 exe=/sbin/unix_chkpwd name=var |
| 98 |
dev=hda2 ino=912129 scontext=frja:staff_r:system_chkpwd_t |
| 99 |
tcontext=system_u:object_r:var_t tclass=dir |
| 100 |
|
| 101 |
avc: denied { search } for pid=8025 exe=/sbin/unix_chkpwd name=run |
| 102 |
dev=hda2 ino=1205313 scontext=frja:staff_r:system_chkpwd_t |
| 103 |
tcontext=system_u:object_r:var_run_t tclass=dir |
| 104 |
|
| 105 |
avc: denied { dac_override } for pid=8025 exe=/sbin/unix_chkpwd |
| 106 |
capability=1 scontext=frja:staff_r:system_chkpwd_t |
| 107 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
| 108 |
|
| 109 |
avc: denied { siginh } for pid=8026 exe=/bin/bash |
| 110 |
scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t |
| 111 |
tclass=process |
| 112 |
|
| 113 |
avc: denied { rlimitinh } for pid=8026 exe=/bin/bash |
| 114 |
scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t |
| 115 |
tclass=process |
| 116 |
|
| 117 |
avc: denied { noatsecure } for pid=8026 exe=/bin/bash |
| 118 |
scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t |
| 119 |
tclass=process |
| 120 |
|
| 121 |
But since it's not enforced it works. |
| 122 |
|
| 123 |
So I guess my question is, why? I have tried to relabel the system a |
| 124 |
couple of times, and it doesn't work. |
| 125 |
|
| 126 |
I am pretty sure I am missing something obvious, but I am still a |
| 127 |
SELinux newbie. |
| 128 |
|
| 129 |
Best regards |
| 130 |
Fredrik Jansson |
| 131 |
|
| 132 |
-- |
| 133 |
gentoo-hardened@g.o mailing list |
Archives