problems switching between roles (newrole)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello List,
Question about managing roles: I'm trying to setup my user to have access to both the unprivileged user_r role and the administrative role sysadm_r. My system is FC6 using the latest policy from yum: 

<sestatus>
	SELinux status: 		enabled
	SELinuxfs mount: 		/selinux
	Current mode:			enforcing
	Mode from config file:		enforcing
	Policy version:			21
	Policy from config file:	strict
</sestatus>

I've created new SELinux user:
semanage user -a -R sysadm_r -R user_r -P user MyUser_u

I've associated a Linux user with my SELinux user:
semanage login -a -s MyUser_u MyUser

When I login with my new user I see ...

<shell>
	[MyUser@test ~]$ id -Z
	MyUser_u:user_r:user_t
	[MyUser@test ~]$ newrole -r sysadm_r -t sysadm_t
	Authenticating MyUser.
	Password:
	failed to exec shell
	: Permission denied
	[MyUser@test ~]$
</shell>
The initial role is user_r which I like. But when MyUser attempts to change to the new role (sysadm_r through use of newrole)... they cannot. 

<avc>
type=AVC msg=audit(1178544785.335:2418): avc: denied { transition } for pid=13798 comm="newrole" name="bash" dev=hda3 ino=162298 scontex=MyUser_u:user_r:newrole_t:s0 tcontext=MyUser_u:sysadm_r:sysadm_t:s0 tclass=process 
</avc>
The contexts in the avc denied message seem right: MyUser is running the newrole command and has successfully transitioned into the newrole_t domain. The problem seems to be that newrole cannot kick off a shell in the target context (MyUser_u:sysadm_r:sysadm_t).
A similar problem seems to arise when associating Linux users with user_r, staff_r and sysadm_r. The user will login with the default staff_r, will be able to newrole up to the sysadm_r role, but cannot change their role to user_r through similar means (newrole -r user_r -t user_t).
I'd assume it's a fairly standard practice to make an SELinux user with the user_r and sysadm_r roles, much like using an unprivileged Linux user and only performing admin tasks using root. I'm guessing I missed a step somewhere along the line ... would someone mind pointing out where I went wrong or what I might try to resolve this? 

Cheers,
- Philip

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux