On Tue, 2007-03-20 at 18:58 -0500, Linda Knippers wrote:
> Loulwa Salem wrote:
> > Hi all,
> > I am seeing a strange behavior on my system. I am running with the
> > latest and greatest kernel (.69) and packages freshly installed today
> > from Steve's repo on a ppc system in Enforcing mode ofcourse.
> > Note: The ssh_sysadm_login and allow_netlabel booleans are both on.
> >
> > Steps to reproduce the problem:
> > - ssh into system with your admin user as sysadm role
> > ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
> > - switch to root
> > /bin/su -
> > - execute any netlabel command
> > netlabelctl cipsov4 add pass doi:1 tags:1
> >
> > I am able to log in fine, and I expect the netlabel command to pass
> > however I get a permission denied. I am pasting at the bottom the
> > relevant records I see in the audit log (nothing shows up in
> > /var/log/messages or secure).. any ideas?
> > Joy and Kylie tried this and both saw the same behavior. Keep in mind
> > this used to work just fine before.
>
> When was it last known to work?
>
> > What I find strange is the context it complains about has the role
> > system_r and not sysadm_r. Even in the records created by the ssh
> > authentication, I see the system_r, I'm not sure how that role is
> > finding its way in there. The "id" command however shows the correct
> > sysadm_r.
> > I'm not quite sure what package is the suspect.
> >
> > I think this is a bug, if everyone agrees I'll open a bugzilla for it
>
> I think there's something funky with our ealuser_u definition or the
> policy. You're not getting an AVC deny, you're getting an error that
> the security context isn't valid. What do 'semanage user -l' and
> 'semanage login -l' show?
>
> Can you try the same thing from an account that is associated with
> staff_u?
>
There isn't a special ealuser_u that I know of:
[root/abat_r/[EMAIL PROTECTED] framework]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
abat_u abat SystemLow SystemLow-SystemHigh
abat_r
root sysadm SystemLow SystemLow-SystemHigh
system_r sysadm_r staff_r secadm_r auditadm_r
staff_u staff SystemLow SystemLow-SystemHigh
sysadm_r staff_r secadm_r auditadm_r
sysadm_u sysadm SystemLow SystemLow-SystemHigh
sysadm_r
system_u user SystemLow SystemLow-SystemHigh
system_r
testuser_u user SystemLow SystemLow-SystemHigh
user_r
user_u user SystemLow SystemLow
user_r
[root/abat_r/[EMAIL PROTECTED] framework]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u SystemLow
abat abat_u SystemLow-SystemHigh
abatroot abat_u SystemLow
ealuser staff_u SystemLow-SystemHigh
root root SystemLow-SystemHigh
system_u system_u SystemLow-SystemHigh
testuser testuser_u SystemLow-SystemHigh
> -- ljk
> >
> > Thanks,
> > - Loulwa
> >
> > Sample steps output:
> > [root/abat_r/SystemLow /]# ssh -l ealuser/sysadm_r/s0-s15:c0.c1023
> > localhost
> > Password:
> > Last login: Tue Mar 20 12:31:23 2007 from localhost.localdomain
> > [ealuser/sysadm_r/SystemLow ~]$ /bin/su -
> > Password:
> > [root/sysadm_r/SystemLow ~]# id
> > uid=0(root) gid=0(root)
> > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> > context=ealuser_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
> > [root/sysadm_r/SystemLow ~]# netlabelctl cipsov4 add pass doi:1 tags:1
> > -bash: /sbin/netlabelctl: Permission denied
> >
> >
> > ---- ssh records (records I see when I ssh into system):
> > type=USER_AUTH msg=audit(1174412538.822:755): user pid=3051 uid=0
> > auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
> > authentication acct=ealuser : exe="/usr/sbin/sshd"
> > (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
> > type=USER_ACCT msg=audit(1174412538.864:756): user pid=3051 uid=0
> > auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
> > accounting acct=ealuser : exe="/usr/sbin/sshd"
> > (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
> > type=AVC msg=audit(1174412539.043:757): avc: granted { setexec } for
> > pid=3047 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
> > tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
> >
> > ---- netlabel related records (the only 2 records I see when I get perm
> > denied)
> > type=SELINUX_ERR msg=audit(1174412941.179:771): security_compute_sid:
> > invalid context ealuser_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 for
> > scontext=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
> > tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=process
> > type=SYSCALL msg=audit(1174412941.179:771): arch=14 syscall=11
> > success=no exit=-13 a0=10121d98 a1=1011edd0 a2=1011ee58 a3=0 items=0
> > ppid=3090 pid=3123 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=pts2 comm="bash" exe="/bin/bash"
> > subj=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
> >
> > --
> > redhat-lspp mailing list
> > [email protected]
> > https://www.redhat.com/mailman/listinfo/redhat-lspp
>
> --
> redhat-lspp mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
