transition to sysadm_u fails

Daniel J Walsh dwalsh at redhat.com
Thu Jan 3 16:07:03 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/03/2013 09:52 AM, richard -rw- weinberger wrote:
> Hi!
> 
> On my CentOS6 test box I'm facing a strange problem. I'd like to have an
> uid!=0 user which is mapped to the selinux sysadm_u user.
> 
> To achieve this I did "semanage login -a -s sysadm_u setest". But "runcon
> -t sysadm_t -u sysadm_u -r sysadm_r /bin/bash" failed.
> 
> The transition got blocked for the following reason: type=AVC
> msg=audit(1357223866.943:29): avc:  denied  { transition } for  pid=1105
> comm="runcon" path="/bin/bash" dev=dm-0 ino=130087 
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
> 
> Using audit2allow I've created an allow rule to allow the transition. 
> ---cut--- [root at selinuxbox ~]# cat sysadm.te
> 
> module sysadm 1.0;
> 
> require { type unconfined_t; type sysadm_t; class process transition; }
> 
> #============= unconfined_t ============== allow unconfined_t
> sysadm_t:process transition; ---cut---
> 
> I've loaded the new rule using "semodule -i sysadm.pp".
> 
> ---cut--- [root at selinuxbox ~]# sesearch --all | grep "allow unconfined_t
> sysadm_t" allow unconfined_t sysadm_t : process { transition sigchld } ; 
> ---cut---
> 
> As you can observe a transition from unconfined_t to sysadm_t is now
> allowed. But runcon still fails and audit logs the same deny message. Also
> audit2allow created exactly the same allow rule again.
> 
> What is preventing runcon to work?
> 


Audit2allow is not always as smart as it could be.

It translates AVC denials into Type Enforcement rules, even if the problem is
a RBAC problem or an MCS/MLS problem

Most likely you are having an RBAC problem.

First you need a rule that says unconfined_r can become sysadm_r.

 sesearch --role_allow | grep unconfined_r
   allow staff_r unconfined_r;
   allow unconfined_r system_r;
   allow system_r unconfined_r;

Add

allow unconfined_r sysadm_r;

To your te file.

Next you probably need to fix you SELinux User to say it can reach the sysadmin_r.

# semanage  user -l | grep unconfined_u
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r
webadm_r unconfined_r

# semanage user -m -R"system_r webadm_r unconfined_r sysadm_r" unconfined_u

Now I believe you could execute

runcon -r sysadm_r -t sysadmin_t /bin/sh


And it would run as

unconfined_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

You might not need to do the semanage command if unconfined_t is allowed to
change SELinux user.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDlrKcACgkQrlYvE4MpobPb5wCbByn1e2D4glv/2cM+3+akZ7bH
baEAoIIWdujUmWjA1xuaCwNUvibnl5MT
=MiAo
-----END PGP SIGNATURE-----

More information about the selinux mailing list