transition to sysadm_u fails
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 3 16:07:03 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/03/2013 09:52 AM, richard -rw- weinberger wrote:
> Hi!
>
> On my CentOS6 test box I'm facing a strange problem. I'd like to have an
> uid!=0 user which is mapped to the selinux sysadm_u user.
>
> To achieve this I did "semanage login -a -s sysadm_u setest". But "runcon
> -t sysadm_t -u sysadm_u -r sysadm_r /bin/bash" failed.
>
> The transition got blocked for the following reason: type=AVC
> msg=audit(1357223866.943:29): avc: denied { transition } for pid=1105
> comm="runcon" path="/bin/bash" dev=dm-0 ino=130087
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
>
> Using audit2allow I've created an allow rule to allow the transition.
> ---cut--- [root at selinuxbox ~]# cat sysadm.te
>
> module sysadm 1.0;
>
> require { type unconfined_t; type sysadm_t; class process transition; }
>
> #============= unconfined_t ============== allow unconfined_t
> sysadm_t:process transition; ---cut---
>
> I've loaded the new rule using "semodule -i sysadm.pp".
>
> ---cut--- [root at selinuxbox ~]# sesearch --all | grep "allow unconfined_t
> sysadm_t" allow unconfined_t sysadm_t : process { transition sigchld } ;
> ---cut---
>
> As you can observe a transition from unconfined_t to sysadm_t is now
> allowed. But runcon still fails and audit logs the same deny message. Also
> audit2allow created exactly the same allow rule again.
>
> What is preventing runcon to work?
>
Audit2allow is not always as smart as it could be.
It translates AVC denials into Type Enforcement rules, even if the problem is
a RBAC problem or an MCS/MLS problem
Most likely you are having an RBAC problem.
First you need a rule that says unconfined_r can become sysadm_r.
sesearch --role_allow | grep unconfined_r
allow staff_r unconfined_r;
allow unconfined_r system_r;
allow system_r unconfined_r;
Add
allow unconfined_r sysadm_r;
To your te file.
Next you probably need to fix you SELinux User to say it can reach the sysadmin_r.
# semanage user -l | grep unconfined_u
unconfined_u user s0 s0-s0:c0.c1023 system_r
webadm_r unconfined_r
# semanage user -m -R"system_r webadm_r unconfined_r sysadm_r" unconfined_u
Now I believe you could execute
runcon -r sysadm_r -t sysadmin_t /bin/sh
And it would run as
unconfined_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
You might not need to do the semanage command if unconfined_t is allowed to
change SELinux user.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDlrKcACgkQrlYvE4MpobPb5wCbByn1e2D4glv/2cM+3+akZ7bH
baEAoIIWdujUmWjA1xuaCwNUvibnl5MT
=MiAo
-----END PGP SIGNATURE-----
More information about the selinux
mailing list