On Tue, 2007-03-20 at 18:58 -0500, Linda Knippers wrote: > Loulwa Salem wrote: > > Hi all, > > I am seeing a strange behavior on my system. I am running with the > > latest and greatest kernel (.69) and packages freshly installed today > > from Steve's repo on a ppc system in Enforcing mode ofcourse. > > Note: The ssh_sysadm_login and allow_netlabel booleans are both on. > > > > Steps to reproduce the problem: > > - ssh into system with your admin user as sysadm role > > ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost > > - switch to root > > /bin/su - > > - execute any netlabel command > > netlabelctl cipsov4 add pass doi:1 tags:1 > > > > I am able to log in fine, and I expect the netlabel command to pass > > however I get a permission denied. I am pasting at the bottom the > > relevant records I see in the audit log (nothing shows up in > > /var/log/messages or secure).. any ideas? > > Joy and Kylie tried this and both saw the same behavior. Keep in mind > > this used to work just fine before. > > When was it last known to work? > > > What I find strange is the context it complains about has the role > > system_r and not sysadm_r. Even in the records created by the ssh > > authentication, I see the system_r, I'm not sure how that role is > > finding its way in there. The "id" command however shows the correct > > sysadm_r. > > I'm not quite sure what package is the suspect. > > > > I think this is a bug, if everyone agrees I'll open a bugzilla for it > > I think there's something funky with our ealuser_u definition or the > policy. You're not getting an AVC deny, you're getting an error that > the security context isn't valid. What do 'semanage user -l' and > 'semanage login -l' show? > > Can you try the same thing from an account that is associated with > staff_u? >
Actually, the first time she tried it, it was staff_u and not ealuser_u. I suggested perhaps the error occured because ealuser was not properly mapped to an selinux user. So we ran: semanage user -a -L SystemLow-SystemHigh -r SystemLow-SystemHigh -R "staff_r sysadm_r secadm_r auditadm_r" -P staff ealuser_u semanage login -m -s ealuser_u -r SystemLow-SystemHigh ealuser But before, her config was like Kylie's and she got the same error. She said she never ran the above semanage commands before and it used to work fine. It works on a machine with: selinux-policy-2.4.6-38.el5 selinux-policy-devel-2.4.6-38.el5 selinux-policy-targeted-2.4.6-38.el5 selinux-policy-mls-2.4.6-38.el5 openssh-clients-4.3p2-17.el5 openssh-4.3p2-17.el5 openssh-server-4.3p2-17.el5 kernel-2.6.18-8.1.1.el5.lspp.68 kernel-devel-2.6.18-8.1.1.el5.lspp.68 # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=ealuser_u:sysadm_r:sysadm_t:SystemLow-SystemHigh (This machine has not been updated to latest stuff in Steve Grubb's repo.) We noticed the AVC denied message tried to compute an sid for ealuser_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 We also noticed that on the machine it works, the role is sysadm_r and not system_r in the below audit message... type=SYSCALL msg=audit(1174424974.772:2935): arch=c000003e syscall=59 success=yes exit=0 a0=68a5420 a1=68a51c0 a2=689adc0 a3=0 items=0 ppid=28564 pid=28600 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="netlabelctl" exe="/sbin/netlabelctl" subj=ealuser_u:sysadm_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null) type=AVC_PATH msg=audit(1174424974.772:2935): path="/dev/pts/0" type=AVC_PATH msg=audit(1174424974.772:2935): path="/dev/pts/0" type=AVC_PATH msg=audit(1174424974.772:2935): path="/dev/pts/0" ..... Regards, Joy -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
