1 |
Hi, |
2 |
|
3 |
On Sun, Jun 10, 2007 at 05:25:17PM +0200, Krzysztof Kozłowski wrote: |
4 |
> On many "normal" sudo commands like: |
5 |
> - tail /var/log/messages (accessing logs) |
6 |
> - editing system files (/etc, /boot) |
7 |
> i can see "denied" in /var/log/avc.log: |
8 |
> -------------- |
9 |
> # tail /var/log/messages |
10 |
> Jun 10 16:56:02 bambo audit(1181487362.824:1013): avc: denied { |
11 |
> execute_no_trans } for pid=24622 comm="sudo" name="tail" dev=sda5 ino=6264 |
12 |
> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:bin_t tclass=file |
13 |
> Jun 10 16:56:02 bambo audit(1181487362.824:1014): avc: denied { read } for |
14 |
> pid=24622 comm="sudo" name="tail" dev=sda5 ino=6264 |
15 |
> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:bin_t tclass=file |
16 |
> Jun 10 16:59:02 bambo audit(1181487542.218:1015): avc: denied { read } for |
17 |
> pid=24626 comm="tail" name="messages" dev=sda7 ino=178336 |
18 |
> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:var_log_t |
19 |
> tclass=file |
20 |
> Jun 10 16:59:02 bambo audit(1181487542.218:1016): avc: denied { getattr } |
21 |
> for pid=24626 comm="tail" name="messages" dev=sda7 ino=178336 |
22 |
> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:var_log_t |
23 |
> tclass=file |
24 |
> -------------- |
25 |
> # vi /boot/grub/grub.conf |
26 |
> Jun 10 17:00:38 bambo audit(1181487638.555:1017): avc: denied { search } for |
27 |
> pid=24869 comm="vi" name="/" dev=sda1 ino=2 |
28 |
> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t tclass=dir |
29 |
> Jun 10 17:00:38 bambo audit(1181487638.571:1018): avc: denied { getattr } |
30 |
> for pid=24869 comm="vi" name="grub.conf" dev=sda1 ino=4040 |
31 |
> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t |
32 |
> tclass=file |
33 |
> Jun 10 17:00:38 bambo audit(1181487638.659:1019): avc: denied { write } for |
34 |
> pid=24869 comm="vi" name="grub.conf" dev=sda1 ino=4040 |
35 |
> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t |
36 |
> tclass=file |
37 |
> -------------- |
38 |
> |
39 |
> Performing these tasks from root acount: |
40 |
> -------------- |
41 |
> # vi /boot/grub/grub.conf |
42 |
> Jun 10 17:16:28 bambo audit(1181488588.761:1083): avc: denied { read } for |
43 |
> pid=25719 comm="ls" name="boot" dev=sda1 ino=14 |
44 |
> scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=lnk_file |
45 |
> Jun 10 17:16:43 bambo audit(1181488603.486:1084): avc: denied { write } for |
46 |
> pid=25720 comm="vi" name="grub.conf" dev=sda1 ino=4040 |
47 |
> scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=file |
48 |
> Jun 10 17:16:43 bambo audit(1181488603.486:1085): avc: denied { read } for |
49 |
> pid=25720 comm="vi" name="grub.conf" dev=sda1 ino=4040 |
50 |
> scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=file |
51 |
> Jun 10 17:16:43 bambo audit(1181488603.486:1086): avc: denied { write } for |
52 |
> pid=25720 comm="vi" name="grub" dev=sda1 ino=4017 |
53 |
> scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=dir |
54 |
> -------------- |
55 |
> |
56 |
> These are only examples - almost all my root/sudo actions are denied. Why? |
57 |
> What settings or rules I have forgot? Should I explicitly allow |
58 |
> "staff_t/staff_sudo_t" access to /boot, /var/log and other important places? |
59 |
> I am searching for clues for many hours and "I still haven't found what I'm |
60 |
> looking for...". |
61 |
|
62 |
any reason why you don't `newrole -r sysadm_r; su -` ? |
63 |
|
64 |
bye, |
65 |
peter |
66 |
|
67 |
-- |
68 |
petre rodan |
69 |
<kaiowas@g.o> |
70 |
Developer, |
71 |
Hardened Gentoo Linux |