Re: run_init patch for Fedora 8

"Christopher J. PeBenito" <cpebenito@xxxxxxxxxx> · Thu, 3 Jan 2008 14:39:27 -0500

On Thu, 2007-12-27 at 14:39 -0700, Peter A. Bigot wrote:
> This patch, or something like it, seems to be necessary to allow run_init to
> execute in the sysadm_r role on a Fedora 8 system.  Without it I see:
> 
> type=SYSCALL msg=audit(12/27/2007 13:33:40.332:93) : arch=i386 syscall=execve success=yes exit=0 a0=2e3a18 a1=bfd2c31c a2=2e5408 a3=400 items=0 ppid=2123 pid=2126 auid=pab uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=unix_update exe=/sbin/unix_update subj=staff_u:sysadm_r:run_init_t:s0-s15:c0.c255 key=(null) 
> type=AVC msg=audit(12/27/2007 13:33:40.332:93) : avc:  denied  { execute_no_trans } for  pid=2126 comm=run_init path=/sbin/unix_update dev=sda2 ino=589945 scontext=staff_u:sysadm_r:run_init_t:s0-s15:c0.c255 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file 
> type=AVC msg=audit(12/27/2007 13:33:40.332:93) : avc:  denied  { read } for  pid=2126 comm=run_init name=unix_update dev=sda2 ino=589945 scontext=staff_u:sysadm_r:run_init_t:s0-s15:c0.c255 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file 
> type=AVC msg=audit(12/27/2007 13:33:40.332:93) : avc:  denied  { execute } for  pid=2126 comm=run_init name=unix_update dev=sda2 ino=589945 scontext=staff_u:sysadm_r:run_init_t:s0-s15:c0.c255 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file

I added only the domtrans as your messages don't indicate the additional
access from run is required.

> Index: policy/modules/system/selinuxutil.te
> ===================================================================
> --- policy/modules/system/selinuxutil.te	(revision 2565)
> +++ policy/modules/system/selinuxutil.te	(working copy)
> @@ -388,6 +388,13 @@
>   seutil_libselinux_linked(run_init_t)
>   seutil_read_default_contexts(run_init_t)
> 
> +ifdef(`distro_redhat',`
> +	gen_require(`
> +		attribute admin_terminal;
> +	')
> +	auth_run_upd_passwd(run_init_t, sysadm_r, admin_terminal);
> +')
> +
>   ifndef(`direct_sysadm_daemon',`
>   	ifdef(`distro_gentoo',`
>   		# Gentoo integrated run_init:

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.