Hi all,
I am seeing a strange behavior on my system. I am running with the latest and
greatest kernel (.69) and packages freshly installed today from Steve's repo on
a ppc system in Enforcing mode ofcourse.
Note: The ssh_sysadm_login and allow_netlabel booleans are both on.
Steps to reproduce the problem:
- ssh into system with your admin user as sysadm role
ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
- switch to root
/bin/su -
- execute any netlabel command
netlabelctl cipsov4 add pass doi:1 tags:1
I am able to log in fine, and I expect the netlabel command to pass however I
get a permission denied. I am pasting at the bottom the relevant records I see
in the audit log (nothing shows up in /var/log/messages or secure).. any ideas?
Joy and Kylie tried this and both saw the same behavior. Keep in mind this used
to work just fine before.
What I find strange is the context it complains about has the role system_r and
not sysadm_r. Even in the records created by the ssh authentication, I see the
system_r, I'm not sure how that role is finding its way in there. The "id"
command however shows the correct sysadm_r.
I'm not quite sure what package is the suspect.
I think this is a bug, if everyone agrees I'll open a bugzilla for it
Thanks,
- Loulwa
Sample steps output:
[root/abat_r/SystemLow /]# ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
Password:
Last login: Tue Mar 20 12:31:23 2007 from localhost.localdomain
[ealuser/sysadm_r/SystemLow ~]$ /bin/su -
Password:
[root/sysadm_r/SystemLow ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=ealuser_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
[root/sysadm_r/SystemLow ~]# netlabelctl cipsov4 add pass doi:1 tags:1
-bash: /sbin/netlabelctl: Permission denied
---- ssh records (records I see when I ssh into system):
type=USER_AUTH msg=audit(1174412538.822:755): user pid=3051 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
authentication acct=ealuser : exe="/usr/sbin/sshd"
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
type=USER_ACCT msg=audit(1174412538.864:756): user pid=3051 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
accounting acct=ealuser : exe="/usr/sbin/sshd" (hostname=localhost.localdomain,
addr=127.0.0.1, terminal=ssh res=success)'
type=AVC msg=audit(1174412539.043:757): avc: granted { setexec } for pid=3047
comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
---- netlabel related records (the only 2 records I see when I get perm denied)
type=SELINUX_ERR msg=audit(1174412941.179:771): security_compute_sid: invalid
context ealuser_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 for
scontext=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1174412941.179:771): arch=14 syscall=11 success=no
exit=-13 a0=10121d98 a1=1011edd0 a2=1011ee58 a3=0 items=0 ppid=3090 pid=3123
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
comm="bash" exe="/bin/bash" subj=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
key=(null)
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
