Ok, I thought this was a known issue but I can't seem to find it mentioned anywhere. I have a F9 system that "su" and "sudo" don't work on. I noticed that my context was user_u rather than unconfined_u:
Login on the console as cra:
[cra@system 20:25:34 /home/cra]>id uid=10002(cra) gid=10002(cra) groups=1000(netops),2011(mirror),10002(cra) context=user_u:user_r:user_t:s0 [cra@system 20:25:36 /home/cra]>su /bin/su: Permission denied. [cra@system 20:25:37 /home/cra]>sudo sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
So I tried to go in as root and fix the context like this:
Login on the console as root:
[root@system ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 22 Policy from config file: targeted
[root@system ~]# setenforce 0 [root@system ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0 root root s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
[root@system ~]# semanage login -m -s unconfined_u root libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory). libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory). libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). /usr/sbin/semanage: Could not modify login mapping for root
[root@system ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 22 Policy from config file: targeted
[root@system ~]# setenforce 1 [root@system ~]# exit
But it didn't work as you can see. I'm running these versions:
kernel-2.6.25.4-30.fc9.x86_64 selinux-policy-targeted-3.3.1-64.fc9.noarch
Can someone please help?
Thanks.
On Thu, 2008-06-12 at 20:34 -0400, Chuck Anderson wrote:
Ok, I thought this was a known issue but I can't seem to find it mentioned anywhere. I have a F9 system that "su" and "sudo" don't work on. I noticed that my context was user_u rather than unconfined_u:
They shouldn't work from user_u, as that user identity/role isn't supposed to be able to use them (unprivileged user).
Login on the console as cra:
[cra@system 20:25:34 /home/cra]>id uid=10002(cra) gid=10002(cra) groups=1000(netops),2011(mirror),10002(cra) context=user_u:user_r:user_t:s0 [cra@system 20:25:36 /home/cra]>su /bin/su: Permission denied. [cra@system 20:25:37 /home/cra]>sudo sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
So I tried to go in as root and fix the context like this:
Login on the console as root:
[root@system ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 22 Policy from config file: targeted
[root@system ~]# setenforce 0 [root@system ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0 root root s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
semanage user -l shows what?
[root@system ~]# semanage login -m -s unconfined_u root libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory). libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory). libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). /usr/sbin/semanage: Could not modify login mapping for root
[root@system ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 22 Policy from config file: targeted
[root@system ~]# setenforce 1 [root@system ~]# exit
But it didn't work as you can see. I'm running these versions:
kernel-2.6.25.4-30.fc9.x86_64 selinux-policy-targeted-3.3.1-64.fc9.noarch
Can someone please help?
Thanks.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Fri, Jun 13, 2008 at 08:26:30AM -0400, Stephen Smalley wrote:
They shouldn't work from user_u, as that user identity/role isn't supposed to be able to use them (unprivileged user).
Right, I was trying to fix that, and apparently failed.
[root@system ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0 root root s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
semanage user -l shows what?
I didn't know there was a "user" in addition to "login":
# semanage user -l
Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles
root unconfined s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r staff_u staff s0 s0-s0:c0.c1023 system_r staff_r sysadm_r sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r user_u user s0 s0 user_r
Now it seems obvious--I'm missing the unconfined_u user.
Comparing this to a working F9 system:
Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u guest s0 s0 guest_r root user s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r staff_u user s0 s0-s0:c0.c1023 system_r staff_r sysadm_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_u unconfined s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u xguest s0 s0 xguest_r
How do I fix this?
Thanks.
On Fri, 2008-06-13 at 10:09 -0400, Chuck Anderson wrote:
On Fri, Jun 13, 2008 at 08:26:30AM -0400, Stephen Smalley wrote:
They shouldn't work from user_u, as that user identity/role isn't supposed to be able to use them (unprivileged user).
Right, I was trying to fix that, and apparently failed.
[root@system ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0 root root s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
semanage user -l shows what?
I didn't know there was a "user" in addition to "login":
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root unconfined s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r staff_u staff s0 s0-s0:c0.c1023 system_r staff_r sysadm_r sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r user_u user s0 s0 user_r
Now it seems obvious--I'm missing the unconfined_u user.
Comparing this to a working F9 system:
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u guest s0 s0 guest_r root user s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r staff_u user s0 s0-s0:c0.c1023 system_r staff_r sysadm_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_u unconfined s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u xguest s0 s0 xguest_r
How do I fix this?
Looks like the same problem reported by Kayvan (Weird SELinux problem after upgrade to F9).
semanage user -a -P user -R "unconfined_r system_r" -rs0-s0:c0.c1023 unconfined_u
semanage user acts on SELinux users, i.e. users defined in the kernel policy, which these days are used as "authorized role sets" rather than individual users. semanage login acts on Linux users, who are then mapped to SELinux users in policy.
selinux@lists.fedoraproject.org