Loulwa Salem wrote:
> Hi all,
> I am seeing a strange behavior on my system. I am running with the
> latest and greatest kernel (.69) and packages freshly installed today
> from Steve's repo on a ppc system in Enforcing mode ofcourse.
> Note: The ssh_sysadm_login and allow_netlabel booleans are both on.
>
> Steps to reproduce the problem:
> - ssh into system with your admin user as sysadm role
> ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
> - switch to root
> /bin/su -
> - execute any netlabel command
> netlabelctl cipsov4 add pass doi:1 tags:1
>
> I am able to log in fine, and I expect the netlabel command to pass
> however I get a permission denied. I am pasting at the bottom the
> relevant records I see in the audit log (nothing shows up in
> /var/log/messages or secure).. any ideas?
> Joy and Kylie tried this and both saw the same behavior. Keep in mind
> this used to work just fine before.
When was it last known to work?
> What I find strange is the context it complains about has the role
> system_r and not sysadm_r. Even in the records created by the ssh
> authentication, I see the system_r, I'm not sure how that role is
> finding its way in there. The "id" command however shows the correct
> sysadm_r.
> I'm not quite sure what package is the suspect.
>
> I think this is a bug, if everyone agrees I'll open a bugzilla for it
I think there's something funky with our ealuser_u definition or the
policy. You're not getting an AVC deny, you're getting an error that
the security context isn't valid. What do 'semanage user -l' and
'semanage login -l' show?
Can you try the same thing from an account that is associated with
staff_u?
-- ljk
>
> Thanks,
> - Loulwa
>
> Sample steps output:
> [root/abat_r/SystemLow /]# ssh -l ealuser/sysadm_r/s0-s15:c0.c1023
> localhost
> Password:
> Last login: Tue Mar 20 12:31:23 2007 from localhost.localdomain
> [ealuser/sysadm_r/SystemLow ~]$ /bin/su -
> Password:
> [root/sysadm_r/SystemLow ~]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=ealuser_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
> [root/sysadm_r/SystemLow ~]# netlabelctl cipsov4 add pass doi:1 tags:1
> -bash: /sbin/netlabelctl: Permission denied
>
>
> ---- ssh records (records I see when I ssh into system):
> type=USER_AUTH msg=audit(1174412538.822:755): user pid=3051 uid=0
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
> authentication acct=ealuser : exe="/usr/sbin/sshd"
> (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
> type=USER_ACCT msg=audit(1174412538.864:756): user pid=3051 uid=0
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
> accounting acct=ealuser : exe="/usr/sbin/sshd"
> (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
> type=AVC msg=audit(1174412539.043:757): avc: granted { setexec } for
> pid=3047 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
>
> ---- netlabel related records (the only 2 records I see when I get perm
> denied)
> type=SELINUX_ERR msg=audit(1174412941.179:771): security_compute_sid:
> invalid context ealuser_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 for
> scontext=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1174412941.179:771): arch=14 syscall=11
> success=no exit=-13 a0=10121d98 a1=1011edd0 a2=1011ee58 a3=0 items=0
> ppid=3090 pid=3123 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts2 comm="bash" exe="/bin/bash"
> subj=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
>
> --
> redhat-lspp mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
