Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Jansson Fredrik <Fredrik.Jansson@×××××××××××.com>
To: gentoo-hardened@l.g.o
Subject: RE: [gentoo-hardened] problems with newrole in enforcing mod
Date: Thu, 24 Jun 2004 18:11:46
Message-Id: 939755D83C92514FA1914B53C405E1C702A898@ctserver4.hq.columbitech.com
1 I should maybe add that I am ssh'ing into the box and that I am using
2 public key authentication on ssh. I am not sure it matters though.
3
4 /Fredrik
5
6 -----Original Message-----
7 From: Jansson Fredrik [mailto:Fredrik.Jansson@×××××××××××.com]
8 Sent: den 24 juni 2004 20:07
9 To: gentoo-hardened@l.g.o
10 Subject: [gentoo-hardened] problems with newrole in enforcing mod
11
12 Hi!
13
14 I have a problem with newrole in enforcing mode. I have seen others
15 having the same problem when googling for it, but haven't seen any
16 solution to it.
17
18 I have a user (frja) who is in sysadm_r and staff_r:
19 /etc/security/selinux/src/policy/users:
20 user frja roles { sysadm_r staff_r };
21
22 I have no problems switching to sysadm_r when in permissive mode, but in
23 enforcing mode I get:
24 $ newrole -r sysadm_r
25 Authenticating frja.
26 Password:
27 newrole: incorrect password for frja
28
29 dmesg:
30 avc: denied { siginh } for pid=8009 exe=/usr/bin/newrole
31 scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t
32 tclass=process
33
34 avc: denied { rlimitinh } for pid=8009 exe=/usr/bin/newrole
35 scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t
36 tclass=process
37
38 avc: denied { noatsecure } for pid=8009 exe=/usr/bin/newrole
39 scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t
40 tclass=process
41
42 avc: denied { siginh } for pid=8010 exe=/sbin/unix_chkpwd
43 scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t
44 tclass=process
45
46 avc: denied { rlimitinh } for pid=8010 exe=/sbin/unix_chkpwd
47 scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t
48 tclass=process
49
50 avc: denied { noatsecure } for pid=8010 exe=/sbin/unix_chkpwd
51 scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t
52 tclass=process
53
54 avc: denied { read } for pid=8010 exe=/sbin/unix_chkpwd name=urandom
55 dev=hda2 ino=164173 scontext=frja:staff_r:system_chkpwd_t
56 tcontext=system_u:object_r:urandom_device_t tclass=chr_file
57
58 avc: denied { search } for pid=8010 exe=/sbin/unix_chkpwd name=var
59 dev=hda2 ino=912129 scontext=frja:staff_r:system_chkpwd_t
60 tcontext=system_u:object_r:var_t tclass=dir
61
62 avc: denied { dac_override } for pid=8010 exe=/sbin/unix_chkpwd
63 capability=1 scontext=frja:staff_r:system_chkpwd_t
64 tcontext=frja:staff_r:system_chkpwd_t tclass=capability
65
66 avc: denied { dac_read_search } for pid=8010 exe=/sbin/unix_chkpwd
67 capability=2 scontext=frja:staff_r:system_chkpwd_t
68 tcontext=frja:staff_r:system_chkpwd_t tclass=capability
69
70 avc: denied { dac_override } for pid=8010 exe=/sbin/unix_chkpwd
71 capability=1 scontext=frja:staff_r:system_chkpwd_t
72 tcontext=frja:staff_r:system_chkpwd_t tclass=capability
73
74 avc: denied { dac_read_search } for pid=8010 exe=/sbin/unix_chkpwd
75 capability=2 scontext=frja:staff_r:system_chkpwd_t
76 tcontext=frja:staff_r:system_chkpwd_t tclass=capability
77
78
79 In permissive mode newrole is successful and I still get in dmesg:
80 avc: denied { siginh } for pid=8024 exe=/usr/bin/newrole
81 scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t
82 tclass=process
83
84 avc: denied { rlimitinh } for pid=8024 exe=/usr/bin/newrole
85 scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t
86 tclass=process
87
88 avc: denied { noatsecure } for pid=8024 exe=/usr/bin/newrole
89 scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t
90 tclass=process
91
92 avc: denied { siginh } for pid=8025 exe=/sbin/unix_chkpwd
93 scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t
94 tclass=process
95
96 avc: denied { rlimitinh } for pid=8025 exe=/sbin/unix_chkpwd
97 scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t
98 tclass=process
99
100 avc: denied { noatsecure } for pid=8025 exe=/sbin/unix_chkpwd
101 scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t
102 tclass=process
103
104 avc: denied { read } for pid=8025 exe=/sbin/unix_chkpwd name=urandom
105 dev=hda2 ino=164173 scontext=frja:staff_r:system_chkpwd_t
106 tcontext=system_u:object_r:urandom_device_t tclass=chr_file
107
108 avc: denied { search } for pid=8025 exe=/sbin/unix_chkpwd name=var
109 dev=hda2 ino=912129 scontext=frja:staff_r:system_chkpwd_t
110 tcontext=system_u:object_r:var_t tclass=dir
111
112 avc: denied { search } for pid=8025 exe=/sbin/unix_chkpwd name=run
113 dev=hda2 ino=1205313 scontext=frja:staff_r:system_chkpwd_t
114 tcontext=system_u:object_r:var_run_t tclass=dir
115
116 avc: denied { dac_override } for pid=8025 exe=/sbin/unix_chkpwd
117 capability=1 scontext=frja:staff_r:system_chkpwd_t
118 tcontext=frja:staff_r:system_chkpwd_t tclass=capability
119
120 avc: denied { siginh } for pid=8026 exe=/bin/bash
121 scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t
122 tclass=process
123
124 avc: denied { rlimitinh } for pid=8026 exe=/bin/bash
125 scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t
126 tclass=process
127
128 avc: denied { noatsecure } for pid=8026 exe=/bin/bash
129 scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t
130 tclass=process
131
132 But since it's not enforced it works.
133
134 So I guess my question is, why? I have tried to relabel the system a
135 couple of times, and it doesn't work.
136
137 I am pretty sure I am missing something obvious, but I am still a
138 SELinux newbie.
139
140 Best regards
141 Fredrik Jansson
142
143 --
144 gentoo-hardened@g.o mailing list
145
146
147 --
148 gentoo-hardened@g.o mailing list
Report Message
Find on MARC Find on Google Groups