Probably something I don't have tweaked just right, but a while ago when
I tried to sudo it failed. I built this system at least 6 months ago
and followed the procedures that were posted at that time, but then
wasn't able to work towards putting SELinux in enforcing mode until this
past week.
sudo: unable to get default type for role sysadm_r
sudo: unable to execute /bin/bash: Invalid argument
I tried again after running newrole to switch to sysadm_r, but got the
same result.
The denials in the logs were:
Oct 26 09:19:45 iax sudo: stan : TTY=pts/1 ; PWD=/home/stan ;
USER=root ; COMMAND=/bin/bash
Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session opened
for user root by stan(uid=0)
Oct 26 09:19:45 iax kernel: type=1400 audit(1351264785.307:8824410):
avc: denied { read } for pid=20130 comm="sudo" name="default_type"
dev="sda3" ino=6717702 scontext=stan:staff_r:staff_sudo_t
tcontext=system_u:object_r:default_context_t tclass=file
Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session closed
for user root
find / -inum 6717702
/etc/selinux/strict/contexts/default_type
I checked and indeed none of the sudo types have permissions for that
file and I don't see any booleans to change it either, so what am I missing?
sesearch -t default_context_t -c file -ACd
Found 19 semantic av rules:
allow initrc_t default_context_t : file { ioctl read getattr lock
open } ;
allow run_init_t default_context_t : file { ioctl read getattr lock
open } ;
allow useradd_t default_context_t : file { ioctl read getattr lock
open } ;
allow sysadm_dbusd_t default_context_t : file { ioctl read getattr
lock open } ;
allow system_dbusd_t default_context_t : file { ioctl read getattr
lock open } ;
allow sulogin_t default_context_t : file { ioctl read getattr lock
open } ;
allow staff_dbusd_t default_context_t : file { ioctl read getattr
lock open } ;
allow local_login_t default_context_t : file { ioctl read getattr
lock open } ;
allow sysadm_t default_context_t : file { ioctl read getattr lock
open } ;
allow setfiles_t default_context_t : file { ioctl read getattr lock
open } ;
allow user_dbusd_t default_context_t : file { ioctl read getattr lock
open } ;
allow sshd_t default_context_t : file { ioctl read getattr lock open } ;
allow semanage_t default_context_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow staff_t default_context_t : file { ioctl read getattr lock open
} ;
allow newrole_t default_context_t : file { ioctl read getattr lock
open } ;
allow nscd_t default_context_t : file { ioctl read getattr lock open } ;
allow udev_t default_context_t : file { ioctl read getattr lock open } ;
allow crond_t default_context_t : file { ioctl read getattr lock open
} ;
allow user_t default_context_t : file { ioctl read getattr lock open } ;
--
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
PR - Cindy and Jenny - Sammamish, WA NWR
http://www.cci.org
I tried to sudo it failed. I built this system at least 6 months ago
and followed the procedures that were posted at that time, but then
wasn't able to work towards putting SELinux in enforcing mode until this
past week.
sudo: unable to get default type for role sysadm_r
sudo: unable to execute /bin/bash: Invalid argument
I tried again after running newrole to switch to sysadm_r, but got the
same result.
The denials in the logs were:
Oct 26 09:19:45 iax sudo: stan : TTY=pts/1 ; PWD=/home/stan ;
USER=root ; COMMAND=/bin/bash
Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session opened
for user root by stan(uid=0)
Oct 26 09:19:45 iax kernel: type=1400 audit(1351264785.307:8824410):
avc: denied { read } for pid=20130 comm="sudo" name="default_type"
dev="sda3" ino=6717702 scontext=stan:staff_r:staff_sudo_t
tcontext=system_u:object_r:default_context_t tclass=file
Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session closed
for user root
find / -inum 6717702
/etc/selinux/strict/contexts/default_type
I checked and indeed none of the sudo types have permissions for that
file and I don't see any booleans to change it either, so what am I missing?
sesearch -t default_context_t -c file -ACd
Found 19 semantic av rules:
allow initrc_t default_context_t : file { ioctl read getattr lock
open } ;
allow run_init_t default_context_t : file { ioctl read getattr lock
open } ;
allow useradd_t default_context_t : file { ioctl read getattr lock
open } ;
allow sysadm_dbusd_t default_context_t : file { ioctl read getattr
lock open } ;
allow system_dbusd_t default_context_t : file { ioctl read getattr
lock open } ;
allow sulogin_t default_context_t : file { ioctl read getattr lock
open } ;
allow staff_dbusd_t default_context_t : file { ioctl read getattr
lock open } ;
allow local_login_t default_context_t : file { ioctl read getattr
lock open } ;
allow sysadm_t default_context_t : file { ioctl read getattr lock
open } ;
allow setfiles_t default_context_t : file { ioctl read getattr lock
open } ;
allow user_dbusd_t default_context_t : file { ioctl read getattr lock
open } ;
allow sshd_t default_context_t : file { ioctl read getattr lock open } ;
allow semanage_t default_context_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow staff_t default_context_t : file { ioctl read getattr lock open
} ;
allow newrole_t default_context_t : file { ioctl read getattr lock
open } ;
allow nscd_t default_context_t : file { ioctl read getattr lock open } ;
allow udev_t default_context_t : file { ioctl read getattr lock open } ;
allow crond_t default_context_t : file { ioctl read getattr lock open
} ;
allow user_t default_context_t : file { ioctl read getattr lock open } ;
--
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
PR - Cindy and Jenny - Sammamish, WA NWR
http://www.cci.org