Selinux "staff_u" not allowed to access certain commands such as "semanage user" and "semanage login" when running sudo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

It's been about a year since I played with Selinux. I recently created a new selinux login and mapped it to the "staff_u" selinux user. Everything seemed to work normal until I tried running the semanage commands and it denied me access. So for instance I would run "sudo semanage user -l" and I even added the staff role and type to allow it to use sudo but it still ended up not letting me access it. I'm almost certain it never gave me this kind of problem when I ran selinux a year ago.

I ran an ausearch and it gave me a bunch of stuff, so I figured I'd ask here see if anyone know what's with it or if I should even allow these rules. Let me know what you think.


"
require {
	type bin_t;
	type newrole_t;
	type staff_t;
	type staff_sudo_t;
	type sysadm_sudo_t;
	class lnk_file relabelfrom;
	class dir search;
	class file { open read };
}


fs_getattr_cgroup(newrole_t)



#============= staff_sudo_t ==============
allow staff_sudo_t bin_t:lnk_file relabelfrom;
dev_relabel_sysfs_dirs(staff_sudo_t)
files_list_lost_found(staff_sudo_t)
files_list_var(staff_sudo_t)
files_relabelfrom_boot_files(staff_sudo_t)
fs_read_configfs_dirs(staff_sudo_t)
init_read_state(staff_sudo_t)

#============= sysadm_sudo_t ==============
allow sysadm_sudo_t staff_t:dir search;
allow sysadm_sudo_t staff_t:file { open read };
abrt_stream_connect(sysadm_sudo_t)
cups_read_rw_config(sysadm_sudo_t)
files_list_lost_found(sysadm_sudo_t)
files_list_var(sysadm_sudo_t)
fs_read_configfs_dirs(sysadm_sudo_t)
init_read_state(sysadm_sudo_t)
seutil_get_semanage_read_lock(sysadm_sudo_t)
seutil_manage_module_store(sysadm_sudo_t)
seutil_read_module_store(sysadm_sudo_t)

"

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux