On Fri, 2006-01-27 at 08:16 -0500, Bruce Ecroyd wrote:
> I recently switched from FC4 targeted (enforcing) to strict
> (permissive) using selinux-policy-strict-1.27.1-2.16.noarch.rpm.
> I did a touch /.autorelabel before rebooting.
Please turn off HTML mail in your mail client; it isn't desirable for
public mailing lists in particular.
> I see this:
> [bruce@BorgCube ~]$ su -
> Password:
> Error sending status request (Operation not permitted)
> [root@BorgCube ~]#
>
> The last part of the /var/log/audit/audit.log shows:
> type=SYSCALL msg=audit(1138247001.111:13162965): arch=40000003
> syscall=5 success=yes exit=3 a0=866125b a1=c2 a2=180 a3=3a8083 items=1
> pid=8250 auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0
> egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su"
> type=AVC msg=audit(1138247001.111:13162965): avc: denied { create }
> for pid=8250 comm="su" name=.xauthVpNVFy
> scontext=user_u:user_r:user_t
> tcontext=user_u:object_r:sysadm_home_dir_t tclass=file
Under strict policy, users can only use 'su' if they are assigned the
staff_r role. Unless you turn on the user_canbe_sysadm tunable and
rebuild the policy. So you need to authorize your username for staff_r.
Under FC4, you can do this via:
vi /etc/selinux/strict/users/local.users
<uncomment the entry for 'jadmin' and replace 'jadmin' with your own
username>
/usr/sbin/load_policy /etc/selinux/strict/policy/policy.19
/usr/sbin/genhomedircon
/sbin/restorecon -R /home/<username>
Alternatively, you can install selinux-policy-strict-sources,
cd /etc/selinux/strict/src/policy, and edit its users file, followed by
a make load and the above restorecon.
Alterntively, you can install selinux-policy-strict-sources,
cd /etc/selinux/strict/src/policy, and edit the tunables/tunable.tun
file, enable the user_canbe_sysadm tunable (by removing the dnl prefix),
followed by a make load. In which case you (and any other user_r user)
can use su (still requiring them to know the root password). But that
isn't as secure.
As a heads up, note that this approach will be obsoleted in FC5.
In FC5, you can map Linux users to predefined SELinux pseudo-users (like
staff_u) using the semanage tool and not need to rebuild or reload
policy (although you still have to label the user's home directory).
> If I change to strict, enforcing, will this prevent me from su to
> root?
Yes, it should, since you weren't authorized for staff_r.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
