Gentoo Archives: gentoo-hardened

From:	Petre Rodan <kaiowas@g.o>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] SELinux - Root and sudo commands denied
Date:	Sun, 10 Jun 2007 15:51:02
Message-Id:	`20070610154907.GA28752@peter.simplex.ro`
In Reply to:	[gentoo-hardened] SELinux - Root and sudo commands denied by "Krzysztof Kozłowski"

1	Hi,
2
3	On Sun, Jun 10, 2007 at 05:25:17PM +0200, Krzysztof Kozłowski wrote:
4	> On many "normal" sudo commands like:
5	> - tail /var/log/messages (accessing logs)
6	> - editing system files (/etc, /boot)
7	> i can see "denied" in /var/log/avc.log:
8	> --------------
9	> # tail /var/log/messages
10	> Jun 10 16:56:02 bambo audit(1181487362.824:1013): avc: denied {
11	> execute_no_trans } for pid=24622 comm="sudo" name="tail" dev=sda5 ino=6264
12	> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:bin_t tclass=file
13	> Jun 10 16:56:02 bambo audit(1181487362.824:1014): avc: denied { read } for
14	> pid=24622 comm="sudo" name="tail" dev=sda5 ino=6264
15	> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:bin_t tclass=file
16	> Jun 10 16:59:02 bambo audit(1181487542.218:1015): avc: denied { read } for
17	> pid=24626 comm="tail" name="messages" dev=sda7 ino=178336
18	> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:var_log_t
19	> tclass=file
20	> Jun 10 16:59:02 bambo audit(1181487542.218:1016): avc: denied { getattr }
21	> for pid=24626 comm="tail" name="messages" dev=sda7 ino=178336
22	> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:var_log_t
23	> tclass=file
24	> --------------
25	> # vi /boot/grub/grub.conf
26	> Jun 10 17:00:38 bambo audit(1181487638.555:1017): avc: denied { search } for
27	> pid=24869 comm="vi" name="/" dev=sda1 ino=2
28	> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t tclass=dir
29	> Jun 10 17:00:38 bambo audit(1181487638.571:1018): avc: denied { getattr }
30	> for pid=24869 comm="vi" name="grub.conf" dev=sda1 ino=4040
31	> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t
32	> tclass=file
33	> Jun 10 17:00:38 bambo audit(1181487638.659:1019): avc: denied { write } for
34	> pid=24869 comm="vi" name="grub.conf" dev=sda1 ino=4040
35	> scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t
36	> tclass=file
37	> --------------
38	>
39	> Performing these tasks from root acount:
40	> --------------
41	> # vi /boot/grub/grub.conf
42	> Jun 10 17:16:28 bambo audit(1181488588.761:1083): avc: denied { read } for
43	> pid=25719 comm="ls" name="boot" dev=sda1 ino=14
44	> scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=lnk_file
45	> Jun 10 17:16:43 bambo audit(1181488603.486:1084): avc: denied { write } for
46	> pid=25720 comm="vi" name="grub.conf" dev=sda1 ino=4040
47	> scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=file
48	> Jun 10 17:16:43 bambo audit(1181488603.486:1085): avc: denied { read } for
49	> pid=25720 comm="vi" name="grub.conf" dev=sda1 ino=4040
50	> scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=file
51	> Jun 10 17:16:43 bambo audit(1181488603.486:1086): avc: denied { write } for
52	> pid=25720 comm="vi" name="grub" dev=sda1 ino=4017
53	> scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=dir
54	> --------------
55	>
56	> These are only examples - almost all my root/sudo actions are denied. Why?
57	> What settings or rules I have forgot? Should I explicitly allow
58	> "staff_t/staff_sudo_t" access to /boot, /var/log and other important places?
59	> I am searching for clues for many hours and "I still haven't found what I'm
60	> looking for...".
61
62	any reason why you don't `newrole -r sysadm_r; su -` ?
63
64	bye,
65	peter
66
67	--
68	petre rodan
69	<kaiowas@g.o>
70	Developer,
71	Hardened Gentoo Linux

Replies

Subject	Author
Re: [gentoo-hardened] SELinux - Root and sudo commands denied	"Krzysztof Kozłowski" <krzysztof.kozlowski@×××××××××.pl>

Report Message

Find on MARC Find on Google Groups