Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
SELinux denying sudo
stsander at sblan
Oct 26, 2012, 8:45 AM
Post #1 of 7 (3709 views)
Permalink
Probably something I don't have tweaked just right, but a while ago when
I tried to sudo it failed. I built this system at least 6 months ago
and followed the procedures that were posted at that time, but then
wasn't able to work towards putting SELinux in enforcing mode until this
past week.

sudo: unable to get default type for role sysadm_r
sudo: unable to execute /bin/bash: Invalid argument

I tried again after running newrole to switch to sysadm_r, but got the
same result.

The denials in the logs were:

Oct 26 09:19:45 iax sudo: stan : TTY=pts/1 ; PWD=/home/stan ;
USER=root ; COMMAND=/bin/bash
Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session opened
for user root by stan(uid=0)
Oct 26 09:19:45 iax kernel: type=1400 audit(1351264785.307:8824410):
avc: denied { read } for pid=20130 comm="sudo" name="default_type"
dev="sda3" ino=6717702 scontext=stan:staff_r:staff_sudo_t
tcontext=system_u:object_r:default_context_t tclass=file
Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session closed
for user root

find / -inum 6717702
/etc/selinux/strict/contexts/default_type

I checked and indeed none of the sudo types have permissions for that
file and I don't see any booleans to change it either, so what am I missing?

sesearch -t default_context_t -c file -ACd
Found 19 semantic av rules:
allow initrc_t default_context_t : file { ioctl read getattr lock
open } ;
allow run_init_t default_context_t : file { ioctl read getattr lock
open } ;
allow useradd_t default_context_t : file { ioctl read getattr lock
open } ;
allow sysadm_dbusd_t default_context_t : file { ioctl read getattr
lock open } ;
allow system_dbusd_t default_context_t : file { ioctl read getattr
lock open } ;
allow sulogin_t default_context_t : file { ioctl read getattr lock
open } ;
allow staff_dbusd_t default_context_t : file { ioctl read getattr
lock open } ;
allow local_login_t default_context_t : file { ioctl read getattr
lock open } ;
allow sysadm_t default_context_t : file { ioctl read getattr lock
open } ;
allow setfiles_t default_context_t : file { ioctl read getattr lock
open } ;
allow user_dbusd_t default_context_t : file { ioctl read getattr lock
open } ;
allow sshd_t default_context_t : file { ioctl read getattr lock open } ;
allow semanage_t default_context_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow staff_t default_context_t : file { ioctl read getattr lock open
} ;
allow newrole_t default_context_t : file { ioctl read getattr lock
open } ;
allow nscd_t default_context_t : file { ioctl read getattr lock open } ;
allow udev_t default_context_t : file { ioctl read getattr lock open } ;
allow crond_t default_context_t : file { ioctl read getattr lock open
} ;
allow user_t default_context_t : file { ioctl read getattr lock open } ;

--
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
PR - Cindy and Jenny - Sammamish, WA NWR
http://www.cci.org

Attached Files:

Re: SELinux denying sudo [ In reply to ]
h.v.bruinehsen at fu-berlin
Oct 26, 2012, 8:49 AM
Post #2 of 7 (3641 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26.10.2012 17:45, Stan Sander wrote:
> Probably something I don't have tweaked just right, but a while ago
> when I tried to sudo it failed. I built this system at least 6
> months ago and followed the procedures that were posted at that
> time, but then wasn't able to work towards putting SELinux in
> enforcing mode until this past week.
>
> sudo: unable to get default type for role sysadm_r sudo: unable to
> execute /bin/bash: Invalid argument
>
> I tried again after running newrole to switch to sysadm_r, but got
> the same result.
>
> The denials in the logs were:
<SNIP>

First question: did you install selinux-sudo and relabel everything
afterwards

WKR
Hinnerk

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQirEUAAoJEJwwOFaNFkYcKKYIALSWlk00AMrgjtn/STktJB31
FFXn8Y8dH7U5vxuSvfyX4FI72GNlCTNYnqsW5Di/4SMOQonJdtPCT9XXywNYni7f
hLZC5zPyKNDjHGDoDnIhmnid+dUnNscN1jHmXpjBwgRoOIO/4ODORrFvGjGcc8kx
kGzAlQ6SFvIafwOTzJDUafmixYZSZImnwCsD5OHRcMn5uBjYseydZQfBm9xFN+dy
Kdfc50+pMjYvD91qa/SYYKGfeq7lo9cqghao13fhthO9qN6S3zBqR8OLv0q7fwWa
DJyFosW8ZNzJ6Lp/JMoSTHeCd8wWp374Na9/6goPteZ/3KOl2Z4hFJCFVu8bATA=
=hSpr
-----END PGP SIGNATURE-----
Re: SELinux denying sudo [ In reply to ]
stsander at sblan
Oct 26, 2012, 9:09 AM
Post #3 of 7 (3647 views)
Permalink
On 10/26/2012 09:49 AM, Hinnerk van Bruinehsen wrote:
>
> First question: did you install selinux-sudo and relabel everything
> afterwards
>
> WKR
> Hinnerk
>

Yes. Everything seems up to date in that regard. This is a stable x86
profile.

#qlist -Iv selinux-sudo
sec-policy/selinux-sudo-2.20120725-r5



--
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
PR - Cindy and Jenny - Sammamish, WA NWR
http://www.cci.org

Attached Files:

Re: SELinux denying sudo [ In reply to ]
prometheanfire at gentoo
Oct 26, 2012, 11:28 AM
Post #4 of 7 (3636 views)
Permalink
On 10/26/2012 10:45 AM, Stan Sander wrote:
> Probably something I don't have tweaked just right, but a while ago when
> I tried to sudo it failed. I built this system at least 6 months ago
> and followed the procedures that were posted at that time, but then
> wasn't able to work towards putting SELinux in enforcing mode until this
> past week.
>
> sudo: unable to get default type for role sysadm_r
> sudo: unable to execute /bin/bash: Invalid argument
>
> I tried again after running newrole to switch to sysadm_r, but got the
> same result.
>
> The denials in the logs were:
>
> Oct 26 09:19:45 iax sudo: stan : TTY=pts/1 ; PWD=/home/stan ;
> USER=root ; COMMAND=/bin/bash
> Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session opened
> for user root by stan(uid=0)
> Oct 26 09:19:45 iax kernel: type=1400 audit(1351264785.307:8824410):
> avc: denied { read } for pid=20130 comm="sudo" name="default_type"
> dev="sda3" ino=6717702 scontext=stan:staff_r:staff_sudo_t
> tcontext=system_u:object_r:default_context_t tclass=file
> Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session closed
> for user root
>
> find / -inum 6717702
> /etc/selinux/strict/contexts/default_type
>
> I checked and indeed none of the sudo types have permissions for that
> file and I don't see any booleans to change it either, so what am I missing?
>
> sesearch -t default_context_t -c file -ACd
> Found 19 semantic av rules:
> allow initrc_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow run_init_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow useradd_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow sysadm_dbusd_t default_context_t : file { ioctl read getattr
> lock open } ;
> allow system_dbusd_t default_context_t : file { ioctl read getattr
> lock open } ;
> allow sulogin_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow staff_dbusd_t default_context_t : file { ioctl read getattr
> lock open } ;
> allow local_login_t default_context_t : file { ioctl read getattr
> lock open } ;
> allow sysadm_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow setfiles_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow user_dbusd_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow sshd_t default_context_t : file { ioctl read getattr lock open } ;
> allow semanage_t default_context_t : file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
> allow staff_t default_context_t : file { ioctl read getattr lock open
> } ;
> allow newrole_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow nscd_t default_context_t : file { ioctl read getattr lock open } ;
> allow udev_t default_context_t : file { ioctl read getattr lock open } ;
> allow crond_t default_context_t : file { ioctl read getattr lock open
> } ;
> allow user_t default_context_t : file { ioctl read getattr lock open } ;
>

Can you give us the command you were trying to run (for instance 'sudo
-r sysadm_r -t sysadm_t repoman manifest')

also, 'rlpkg -a -r' just in case (I know you said you did it, but do it
again anyway :D

--
-- Matthew Thode (prometheanfire)

Attached Files:

Re: SELinux denying sudo [ In reply to ]
stsander at sblan
Oct 26, 2012, 11:46 AM
Post #5 of 7 (3628 views)
Permalink
On 10/26/2012 12:28 PM, Matthew Thode wrote:
>
> Can you give us the command you were trying to run (for instance 'sudo
> -r sysadm_r -t sysadm_t repoman manifest')
>
> also, 'rlpkg -a -r' just in case (I know you said you did it, but do it
> again anyway :D
>

I have done it again. I was trying to run sudo -s.


--
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
PR - Cindy and Jenny - Sammamish, WA NWR
http://www.cci.org

Attached Files:

Re: SELinux denying sudo [ In reply to ]
swift at gentoo
Oct 30, 2012, 12:00 AM
Post #6 of 7 (3617 views)
Permalink
On Oct 26, 2012 8:49 PM, "Stan Sander" <stsander@sblan.net> wrote:
> I have done it again. I was trying to run sudo -s.

If it is a shell that you are trying to get, I always just use "sudo bash".
Perhaps it also works if you provide the target role and type with -s or -i.
Re: SELinux denying sudo [ In reply to ]
stsander at sblan
Oct 30, 2012, 7:42 AM
Post #7 of 7 (3625 views)
Permalink
On 10/30/2012 01:00 AM, Sven Vermeulen wrote:
>
> On Oct 26, 2012 8:49 PM, "Stan Sander" <stsander@sblan.net
> <mailto:stsander@sblan.net>> wrote:
> > I have done it again. I was trying to run sudo -s.
>
> If it is a shell that you are trying to get, I always just use "sudo
> bash". Perhaps it also works if you provide the target role and type
> with -s or -i.
>
sudo bash did not work. Providing the type with the -s did work.

--
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
PR - Cindy and Jenny - Sammamish, WA NWR
http://www.cci.org

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal