transition to sysadm_u fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

On my CentOS6 test box I'm facing a strange problem.
I'd like to have an uid!=0 user which is mapped to the selinux
sysadm_u user.

To achieve this I did "semanage login -a -s sysadm_u setest".
But "runcon -t sysadm_t -u sysadm_u -r sysadm_r /bin/bash" failed.

The transition got blocked for the following reason:
type=AVC msg=audit(1357223866.943:29): avc:  denied  { transition }
for  pid=1105 comm="runcon" path="/bin/bash" dev=dm-0 ino=130087
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process

Using audit2allow I've created an allow rule to allow the transition.
---cut---
[root@selinuxbox ~]# cat sysadm.te

module sysadm 1.0;

require {
        type unconfined_t;
        type sysadm_t;
        class process transition;
}

#============= unconfined_t ==============
allow unconfined_t sysadm_t:process transition;
---cut---

I've loaded the new rule using "semodule -i sysadm.pp".

---cut---
[root@selinuxbox ~]# sesearch --all | grep "allow unconfined_t sysadm_t"
   allow unconfined_t sysadm_t : process { transition sigchld } ;
---cut---

As you can observe a transition from unconfined_t to sysadm_t is now allowed.
But runcon still fails and audit logs the same deny message.
Also audit2allow created exactly the same allow rule again.

What is preventing runcon to work?

-- 
Thanks,
//richard
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux