On Thu, 2008-06-12 at 20:34 -0400, Chuck Anderson wrote: > Ok, I thought this was a known issue but I can't seem to find it > mentioned anywhere. I have a F9 system that "su" and "sudo" don't > work on. I noticed that my context was user_u rather than > unconfined_u: They shouldn't work from user_u, as that user identity/role isn't supposed to be able to use them (unprivileged user). > > Login on the console as cra: > > [cra@system 20:25:34 /home/cra]>id > uid=10002(cra) gid=10002(cra) groups=1000(netops),2011(mirror),10002(cra) context=user_u:user_r:user_t:s0 > [cra@system 20:25:36 /home/cra]>su > /bin/su: Permission denied. > [cra@system 20:25:37 /home/cra]>sudo > sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted > > So I tried to go in as root and fix the context like this: > > Login on the console as root: > > [root@system ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 22 > Policy from config file: targeted > > [root@system ~]# setenforce 0 > [root@system ~]# semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ unconfined_u s0 > root root s0-s0:c0.c1023 > system_u system_u s0-s0:c0.c1023 semanage user -l shows what? > > [root@system ~]# semanage login -m -s unconfined_u root > libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory). > libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory). > libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). > /usr/sbin/semanage: Could not modify login mapping for root > > [root@system ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: enforcing > Policy version: 22 > Policy from config file: targeted > > [root@system ~]# setenforce 1 > [root@system ~]# exit > > But it didn't work as you can see. I'm running these versions: > > kernel-2.6.25.4-30.fc9.x86_64 > selinux-policy-targeted-3.3.1-64.fc9.noarch > > Can someone please help? > > Thanks. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
