1 |
I should maybe add that I am ssh'ing into the box and that I am using |
2 |
public key authentication on ssh. I am not sure it matters though. |
3 |
|
4 |
/Fredrik |
5 |
|
6 |
-----Original Message----- |
7 |
From: Jansson Fredrik [mailto:Fredrik.Jansson@×××××××××××.com] |
8 |
Sent: den 24 juni 2004 20:07 |
9 |
To: gentoo-hardened@l.g.o |
10 |
Subject: [gentoo-hardened] problems with newrole in enforcing mod |
11 |
|
12 |
Hi! |
13 |
|
14 |
I have a problem with newrole in enforcing mode. I have seen others |
15 |
having the same problem when googling for it, but haven't seen any |
16 |
solution to it. |
17 |
|
18 |
I have a user (frja) who is in sysadm_r and staff_r: |
19 |
/etc/security/selinux/src/policy/users: |
20 |
user frja roles { sysadm_r staff_r }; |
21 |
|
22 |
I have no problems switching to sysadm_r when in permissive mode, but in |
23 |
enforcing mode I get: |
24 |
$ newrole -r sysadm_r |
25 |
Authenticating frja. |
26 |
Password: |
27 |
newrole: incorrect password for frja |
28 |
|
29 |
dmesg: |
30 |
avc: denied { siginh } for pid=8009 exe=/usr/bin/newrole |
31 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
32 |
tclass=process |
33 |
|
34 |
avc: denied { rlimitinh } for pid=8009 exe=/usr/bin/newrole |
35 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
36 |
tclass=process |
37 |
|
38 |
avc: denied { noatsecure } for pid=8009 exe=/usr/bin/newrole |
39 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
40 |
tclass=process |
41 |
|
42 |
avc: denied { siginh } for pid=8010 exe=/sbin/unix_chkpwd |
43 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
44 |
tclass=process |
45 |
|
46 |
avc: denied { rlimitinh } for pid=8010 exe=/sbin/unix_chkpwd |
47 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
48 |
tclass=process |
49 |
|
50 |
avc: denied { noatsecure } for pid=8010 exe=/sbin/unix_chkpwd |
51 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
52 |
tclass=process |
53 |
|
54 |
avc: denied { read } for pid=8010 exe=/sbin/unix_chkpwd name=urandom |
55 |
dev=hda2 ino=164173 scontext=frja:staff_r:system_chkpwd_t |
56 |
tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
57 |
|
58 |
avc: denied { search } for pid=8010 exe=/sbin/unix_chkpwd name=var |
59 |
dev=hda2 ino=912129 scontext=frja:staff_r:system_chkpwd_t |
60 |
tcontext=system_u:object_r:var_t tclass=dir |
61 |
|
62 |
avc: denied { dac_override } for pid=8010 exe=/sbin/unix_chkpwd |
63 |
capability=1 scontext=frja:staff_r:system_chkpwd_t |
64 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
65 |
|
66 |
avc: denied { dac_read_search } for pid=8010 exe=/sbin/unix_chkpwd |
67 |
capability=2 scontext=frja:staff_r:system_chkpwd_t |
68 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
69 |
|
70 |
avc: denied { dac_override } for pid=8010 exe=/sbin/unix_chkpwd |
71 |
capability=1 scontext=frja:staff_r:system_chkpwd_t |
72 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
73 |
|
74 |
avc: denied { dac_read_search } for pid=8010 exe=/sbin/unix_chkpwd |
75 |
capability=2 scontext=frja:staff_r:system_chkpwd_t |
76 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
77 |
|
78 |
|
79 |
In permissive mode newrole is successful and I still get in dmesg: |
80 |
avc: denied { siginh } for pid=8024 exe=/usr/bin/newrole |
81 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
82 |
tclass=process |
83 |
|
84 |
avc: denied { rlimitinh } for pid=8024 exe=/usr/bin/newrole |
85 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
86 |
tclass=process |
87 |
|
88 |
avc: denied { noatsecure } for pid=8024 exe=/usr/bin/newrole |
89 |
scontext=frja:staff_r:staff_t tcontext=frja:staff_r:newrole_t |
90 |
tclass=process |
91 |
|
92 |
avc: denied { siginh } for pid=8025 exe=/sbin/unix_chkpwd |
93 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
94 |
tclass=process |
95 |
|
96 |
avc: denied { rlimitinh } for pid=8025 exe=/sbin/unix_chkpwd |
97 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
98 |
tclass=process |
99 |
|
100 |
avc: denied { noatsecure } for pid=8025 exe=/sbin/unix_chkpwd |
101 |
scontext=frja:staff_r:newrole_t tcontext=frja:staff_r:system_chkpwd_t |
102 |
tclass=process |
103 |
|
104 |
avc: denied { read } for pid=8025 exe=/sbin/unix_chkpwd name=urandom |
105 |
dev=hda2 ino=164173 scontext=frja:staff_r:system_chkpwd_t |
106 |
tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
107 |
|
108 |
avc: denied { search } for pid=8025 exe=/sbin/unix_chkpwd name=var |
109 |
dev=hda2 ino=912129 scontext=frja:staff_r:system_chkpwd_t |
110 |
tcontext=system_u:object_r:var_t tclass=dir |
111 |
|
112 |
avc: denied { search } for pid=8025 exe=/sbin/unix_chkpwd name=run |
113 |
dev=hda2 ino=1205313 scontext=frja:staff_r:system_chkpwd_t |
114 |
tcontext=system_u:object_r:var_run_t tclass=dir |
115 |
|
116 |
avc: denied { dac_override } for pid=8025 exe=/sbin/unix_chkpwd |
117 |
capability=1 scontext=frja:staff_r:system_chkpwd_t |
118 |
tcontext=frja:staff_r:system_chkpwd_t tclass=capability |
119 |
|
120 |
avc: denied { siginh } for pid=8026 exe=/bin/bash |
121 |
scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t |
122 |
tclass=process |
123 |
|
124 |
avc: denied { rlimitinh } for pid=8026 exe=/bin/bash |
125 |
scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t |
126 |
tclass=process |
127 |
|
128 |
avc: denied { noatsecure } for pid=8026 exe=/bin/bash |
129 |
scontext=frja:staff_r:newrole_t tcontext=frja:sysadm_r:sysadm_t |
130 |
tclass=process |
131 |
|
132 |
But since it's not enforced it works. |
133 |
|
134 |
So I guess my question is, why? I have tried to relabel the system a |
135 |
couple of times, and it doesn't work. |
136 |
|
137 |
I am pretty sure I am missing something obvious, but I am still a |
138 |
SELinux newbie. |
139 |
|
140 |
Best regards |
141 |
Fredrik Jansson |
142 |
|
143 |
-- |
144 |
gentoo-hardened@g.o mailing list |
145 |
|
146 |
|
147 |
-- |
148 |
gentoo-hardened@g.o mailing list |