Hi list,
when switching context with `newrole` I am getting the following error
message, although the session is succesffully created and works fine:
Apr 05 14:59:25 debianserver dbus[357]: [system] Rejected send
message, 2 matched rules; type="method_call", sender=":1.7" (uid=1000
pid=2428 comm="newrole -r sysadm_r ")
interface="org.freedesktop.login1.Manager" member="CreateSession"
Apr 05 14:59:25 debianserver newrole[2428]:
pam_systemd(newrole:session): Failed to create session: Access denied
Is this a dbus or pam_systemd problem?
The issue is present with and without the dbus-send_policynote patch[1].
Best regards,
Christian Göttsche
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857660
Verbose output without dontaudit rules active:
Apr 05 14:59:21 debianserver audit[2424]: AVC avc: denied {
rlimitinh } for pid=2424 comm="newrole"
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:21 debianserver audit[2424]: AVC avc: denied { siginh }
for pid=2424 comm="newrole"
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:21 debianserver audit[2424]: SYSCALL arch=c000003e
syscall=59 success=yes exit=0 a0=92c1a8 a1=91d108 a2=a01008 a3=59a
items=2 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1000
Apr 05 14:59:21 debianserver audit: BPRM_FCAPS fver=2
fp=000000002020010f fi=0000000000000000 fe=1 old_pp=0000000000000000
old_pi=0000000000000000 old_pe=0000000000000000
new_pp=000000002020010f new_pi=0000000000000000 new_pe=00000000202
Apr 05 14:59:21 debianserver audit: EXECVE argc=3 a0="newrole" a1="-r"
a2="sysadm_r"
Apr 05 14:59:21 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:21 debianserver audit: PATH item=0
name="/usr/bin/newrole" inode=155812 dev=08:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:newrole_exec_t:s0
nametype=NORMAL cap_fp=000000002020010f cap_fe=1 cap_fver=2
Apr 05 14:59:21 debianserver audit: PATH item=1
name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL
Apr 05 14:59:21 debianserver audit: PROCTITLE
proctitle=6E6577726F6C65002D720073797361646D5F72
Apr 05 14:59:21 debianserver audit[2424]: AVC avc: denied { read }
for pid=2424 comm="newrole" name="shadow" dev="sda1" ino=152257
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file pe
Apr 05 14:59:21 debianserver audit[2424]: SYSCALL arch=c000003e
syscall=2 success=no exit=-13 a0=7f9037b667f1 a1=80000 a2=1b6 a3=80000
items=1 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1
Apr 05 14:59:21 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:21 debianserver audit: PATH item=0 name="/etc/shadow"
inode=152257 dev=08:01 mode=0100640 ouid=0 ogid=42 rdev=00:00
obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
Apr 05 14:59:21 debianserver audit: PROCTITLE
proctitle=6E6577726F6C65002D720073797361646D5F72
Apr 05 14:59:21 debianserver audit[2425]: AVC avc: denied {
rlimitinh } for pid=2425 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:21 debianserver audit[2425]: AVC avc: denied { siginh }
for pid=2425 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:21 debianserver audit[2425]: SYSCALL arch=c000003e
syscall=59 success=yes exit=0 a0=7f903731ac0d a1=7ffffabf2000
a2=7f90375223c0 a3=7f903941bfc0 items=2 ppid=2424 pid=2425 auid=1000
uid=1000 gid=1000 euid=1000 suid=1000 fsui
Apr 05 14:59:21 debianserver audit: EXECVE argc=3
a0="/sbin/unix_chkpwd" a1="debianuser" a2="nullok"
Apr 05 14:59:21 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:21 debianserver audit: PATH item=0
name="/sbin/unix_chkpwd" inode=627 dev=08:01 mode=0102755 ouid=0
ogid=42 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t:s0
nametype=NORMAL
Apr 05 14:59:21 debianserver audit: PATH item=1
name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL
Apr 05 14:59:21 debianserver audit: PROCTITLE
proctitle=2F7362696E2F756E69785F63686B7077640064656269616E75736572006E756C6C6F6B
Apr 05 14:59:25 debianserver audit[2424]: AVC avc: denied { read }
for pid=2424 comm="newrole" name="shadow" dev="sda1" ino=152257
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file pe
Apr 05 14:59:25 debianserver audit[2424]: SYSCALL arch=c000003e
syscall=2 success=no exit=-13 a0=7f9037b667f1 a1=80000 a2=1b6 a3=80000
items=1 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1
Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:25 debianserver audit: PATH item=0 name="/etc/shadow"
inode=152257 dev=08:01 mode=0100640 ouid=0 ogid=42 rdev=00:00
obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PROCTITLE
proctitle=6E6577726F6C65002D720073797361646D5F72
Apr 05 14:59:25 debianserver audit[2426]: AVC avc: denied {
rlimitinh } for pid=2426 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2426]: AVC avc: denied { siginh }
for pid=2426 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2426]: SYSCALL arch=c000003e
syscall=59 success=yes exit=0 a0=7f903731ac0d a1=7ffffabf1fc0
a2=7f90375223c0 a3=7f903941bfc0 items=2 ppid=2424 pid=2426 auid=1000
uid=1000 gid=1000 euid=1000 suid=1000 fsui
Apr 05 14:59:25 debianserver audit: EXECVE argc=3
a0="/sbin/unix_chkpwd" a1="debianuser" a2="nullok"
Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:25 debianserver audit: PATH item=0
name="/sbin/unix_chkpwd" inode=627 dev=08:01 mode=0102755 ouid=0
ogid=42 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t:s0
nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PATH item=1
name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PROCTITLE
proctitle=2F7362696E2F756E69785F63686B7077640064656269616E75736572006E756C6C6F6B
Apr 05 14:59:25 debianserver audit[2424]: USER_AUTH pid=2424 uid=1000
auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
msg='op=PAM:authentication acct="debianuser" exe="/usr/bin/newrole"
hostname=? addr=? terminal=pts/1 res=
Apr 05 14:59:25 debianserver audit[2424]: AVC avc: denied { read }
for pid=2424 comm="newrole" name="shadow" dev="sda1" ino=152257
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file pe
Apr 05 14:59:25 debianserver audit[2424]: SYSCALL arch=c000003e
syscall=2 success=no exit=-13 a0=7f9037b667f1 a1=80000 a2=1b6 a3=80000
items=1 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1
Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:25 debianserver audit: PATH item=0 name="/etc/shadow"
inode=152257 dev=08:01 mode=0100640 ouid=0 ogid=42 rdev=00:00
obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PROCTITLE
proctitle=6E6577726F6C65002D720073797361646D5F72
Apr 05 14:59:25 debianserver audit[2427]: AVC avc: denied {
rlimitinh } for pid=2427 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2427]: AVC avc: denied { siginh }
for pid=2427 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2427]: SYSCALL arch=c000003e
syscall=59 success=yes exit=0 a0=7f903731ac0d a1=7ffffabf1f10
a2=7f903751e388 a3=7f9037f81260 items=2 ppid=2424 pid=2427 auid=1000
uid=1000 gid=1000 euid=1000 suid=1000 fsui
Apr 05 14:59:25 debianserver audit: EXECVE argc=3
a0="/sbin/unix_chkpwd" a1="debianuser" a2="chkexpiry"
Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:25 debianserver audit: PATH item=0
name="/sbin/unix_chkpwd" inode=627 dev=08:01 mode=0102755 ouid=0
ogid=42 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t:s0
nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PATH item=1
name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PROCTITLE
proctitle=2F7362696E2F756E69785F63686B7077640064656269616E757365720063686B657870697279
Apr 05 14:59:25 debianserver audit[2424]: USER_ACCT pid=2424 uid=1000
auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
msg='op=PAM:accounting acct="debianuser" exe="/usr/bin/newrole"
hostname=? addr=? terminal=pts/1 res=succ
Apr 05 14:59:25 debianserver newrole[2428]: pam_unix(newrole:session):
session opened for user debianuser by debianuser(uid=1000)
Apr 05 14:59:25 debianserver audit[2428]: USER_START pid=2428 uid=1000
auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
msg='op=PAM:session_open acct="debianuser" exe="/usr/bin/newrole"
hostname=? addr=? terminal=pts/1 res=s
Apr 05 14:59:25 debianserver audit[2428]: USER_ROLE_CHANGE pid=2428
uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
msg='newrole: old-context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
new-context=staff_u:sysadm_r:sysa
Apr 05 14:59:25 debianserver dbus[357]: [system] Rejected send
message, 2 matched rules; type="method_call", sender=":1.7" (uid=1000
pid=2428 comm="newrole -r sysadm_r ")
interface="org.freedesktop.login1.Manager" member="CreateSession"
Apr 05 14:59:25 debianserver newrole[2428]:
pam_systemd(newrole:session): Failed to create session: Access denied
Apr 05 14:59:25 debianserver audit[2428]: AVC avc: denied {
rlimitinh } for pid=2428 comm="bash"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2428]: AVC avc: denied { siginh }
for pid=2428 comm="bash"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2428]: AVC avc: denied {
noatsecure } for pid=2428 comm="bash"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2428]: SYSCALL arch=c000003e
syscall=59 success=yes exit=0 a0=55aa5e4bca00 a1=7ffffabf2588
a2=55aa5e4ba300 a3=7f903847db01 items=2 ppid=2424 pid=2428 auid=1000
uid=1000 gid=1000 euid=1000 suid=1000 fsui
Apr 05 14:59:25 debianserver audit: EXECVE argc=1 a0="-/bin/bash"
Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:25 debianserver audit: PATH item=0 name="/bin/bash"
inode=4205 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PATH item=1
name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PROCTITLE proctitle="-/bin/bash"
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
