1 |
Hi! |
2 |
|
3 |
I have a problem with newrole in enforcing mode. I have seen others |
4 |
having the same problem when googling for it, but haven't seen any |
5 |
solution to it. |
6 |
|
7 |
I have a user (frja) who is in sysadm_r and staff_r: |
8 |
/etc/security/selinux/src/policy/users: |
9 |
user frja roles { sysadm_r staff_r }; |
10 |
|
11 |
I have no problems switching to sysadm_r when in permissive mode, but in |
12 |
enforcing mode I get: |
13 |
$ newrole -r sysadm_r |
14 |
Authenticating frja. |
15 |
Password: |
16 |
newrole: incorrect password for frja |
17 |
|
18 |
dmesg: |
19 |
avc: denied { siginh } for pid=8009 exe=/usr/bin/newrole |
20 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
21 |
tclass=process |
22 |
|
23 |
avc: denied { rlimitinh } for pid=8009 exe=/usr/bin/newrole |
24 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
25 |
tclass=process |
26 |
|
27 |
avc: denied { noatsecure } for pid=8009 exe=/usr/bin/newrole |
28 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
29 |
tclass=process |
30 |
|
31 |
avc: denied { siginh } for pid=8010 exe=/sbin/unix_chkpwd |
32 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
33 |
tclass=process |
34 |
|
35 |
avc: denied { rlimitinh } for pid=8010 exe=/sbin/unix_chkpwd |
36 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
37 |
tclass=process |
38 |
|
39 |
avc: denied { noatsecure } for pid=8010 exe=/sbin/unix_chkpwd |
40 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
41 |
tclass=process |
42 |
|
43 |
avc: denied { read } for pid=8010 exe=/sbin/unix_chkpwd name=urandom |
44 |
dev=hda2 ino=164173 scontext=frja:staff_r:system_chkpwd_t |
45 |
tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
46 |
|
47 |
avc: denied { search } for pid=8010 exe=/sbin/unix_chkpwd name=var |
48 |
dev=hda2 ino=912129 scontext=frja:staff_r:system_chkpwd_t |
49 |
tcontext=system_u:object_r:var_t tclass=dir |
50 |
|
51 |
avc: denied { dac_override } for pid=8010 exe=/sbin/unix_chkpwd |
52 |
capability=1 scontext=frja:staff_r:system_chkpwd_t |
53 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
54 |
|
55 |
avc: denied { dac_read_search } for pid=8010 exe=/sbin/unix_chkpwd |
56 |
capability=2 scontext=frja:staff_r:system_chkpwd_t |
57 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
58 |
|
59 |
avc: denied { dac_override } for pid=8010 exe=/sbin/unix_chkpwd |
60 |
capability=1 scontext=frja:staff_r:system_chkpwd_t |
61 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
62 |
|
63 |
avc: denied { dac_read_search } for pid=8010 exe=/sbin/unix_chkpwd |
64 |
capability=2 scontext=frja:staff_r:system_chkpwd_t |
65 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
66 |
|
67 |
|
68 |
In permissive mode newrole is successful and I still get in dmesg: |
69 |
avc: denied { siginh } for pid=8024 exe=/usr/bin/newrole |
70 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
71 |
tclass=process |
72 |
|
73 |
avc: denied { rlimitinh } for pid=8024 exe=/usr/bin/newrole |
74 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
75 |
tclass=process |
76 |
|
77 |
avc: denied { noatsecure } for pid=8024 exe=/usr/bin/newrole |
78 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
79 |
tclass=process |
80 |
|
81 |
avc: denied { siginh } for pid=8025 exe=/sbin/unix_chkpwd |
82 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
83 |
tclass=process |
84 |
|
85 |
avc: denied { rlimitinh } for pid=8025 exe=/sbin/unix_chkpwd |
86 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
87 |
tclass=process |
88 |
|
89 |
avc: denied { noatsecure } for pid=8025 exe=/sbin/unix_chkpwd |
90 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
91 |
tclass=process |
92 |
|
93 |
avc: denied { read } for pid=8025 exe=/sbin/unix_chkpwd name=urandom |
94 |
dev=hda2 ino=164173 scontext=frja:staff_r:system_chkpwd_t |
95 |
tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
96 |
|
97 |
avc: denied { search } for pid=8025 exe=/sbin/unix_chkpwd name=var |
98 |
dev=hda2 ino=912129 scontext=frja:staff_r:system_chkpwd_t |
99 |
tcontext=system_u:object_r:var_t tclass=dir |
100 |
|
101 |
avc: denied { search } for pid=8025 exe=/sbin/unix_chkpwd name=run |
102 |
dev=hda2 ino=1205313 scontext=frja:staff_r:system_chkpwd_t |
103 |
tcontext=system_u:object_r:var_run_t tclass=dir |
104 |
|
105 |
avc: denied { dac_override } for pid=8025 exe=/sbin/unix_chkpwd |
106 |
capability=1 scontext=frja:staff_r:system_chkpwd_t |
107 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
108 |
|
109 |
avc: denied { siginh } for pid=8026 exe=/bin/bash |
110 |
scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t |
111 |
tclass=process |
112 |
|
113 |
avc: denied { rlimitinh } for pid=8026 exe=/bin/bash |
114 |
scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t |
115 |
tclass=process |
116 |
|
117 |
avc: denied { noatsecure } for pid=8026 exe=/bin/bash |
118 |
scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t |
119 |
tclass=process |
120 |
|
121 |
But since it's not enforced it works. |
122 |
|
123 |
So I guess my question is, why? I have tried to relabel the system a |
124 |
couple of times, and it doesn't work. |
125 |
|
126 |
I am pretty sure I am missing something obvious, but I am still a |
127 |
SELinux newbie. |
128 |
|
129 |
Best regards |
130 |
Fredrik Jansson |
131 |
|
132 |
-- |
133 |
gentoo-hardened@g.o mailing list |