Re: F9: su and sudo don't work as user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2008-06-13 at 10:09 -0400, Chuck Anderson wrote:
> On Fri, Jun 13, 2008 at 08:26:30AM -0400, Stephen Smalley wrote:
> > They shouldn't work from user_u, as that user identity/role isn't
> > supposed to be able to use them (unprivileged user).
> 
> Right, I was trying to fix that, and apparently failed.
> 
> > > [root@system ~]# semanage login -l
> > > 
> > > Login Name                SELinux User              MLS/MCS Range            
> > > 
> > > __default__               unconfined_u              s0                       
> > > root                      root                      s0-s0:c0.c1023           
> > > system_u                  system_u                  s0-s0:c0.c1023           
> > 
> > semanage user -l shows what?
> 
> I  didn't know there was a "user" in addition to "login":
> 
> # semanage user -l
> 
>                 Labeling   MLS/       MLS/
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> 
> root            unconfined s0         s0-s0:c0.c1023                 system_r staff_r unconfined_r sysadm_r
> staff_u         staff      s0         s0-s0:c0.c1023                 system_r staff_r sysadm_r
> sysadm_u        sysadm     s0         s0-s0:c0.c1023                 sysadm_r
> system_u        user       s0         s0-s0:c0.c1023                 system_r
> user_u          user       s0         s0                             user_r
> 
> Now it seems obvious--I'm missing the unconfined_u user.
> 
> Comparing this to a working F9 system:
> 
>                 Labeling   MLS/       MLS/
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> 
> guest_u         guest      s0         s0                             guest_r
> root            user       s0         s0-s0:c0.c1023                 system_r staff_r unconfined_r sysadm_r
> staff_u         user       s0         s0-s0:c0.c1023                 system_r staff_r sysadm_r
> sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
> system_u        user       s0         s0-s0:c0.c1023                 system_r
> unconfined_u    unconfined s0         s0-s0:c0.c1023                 system_r unconfined_r
> user_u          user       s0         s0                             user_r
> xguest_u        xguest     s0         s0                             xguest_r
> 
> How do I fix this?

Looks like the same problem reported by Kayvan (Weird SELinux problem
after upgrade to F9).

semanage user -a -P user -R "unconfined_r system_r" -rs0-s0:c0.c1023 unconfined_u

semanage user acts on SELinux users, i.e. users defined in the kernel
policy, which these days are used as "authorized role sets" rather than
individual users.  semanage login acts on Linux users, who are then
mapped to SELinux users in policy.

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux