sudo avc denies: was Re: Upgrading to policy-strict RPM's

Erik Fichtner emf at obfuscation.org
Fri Jul 9 17:28:47 UTC 2004


On Fri, Jul 09, 2004 at 12:15:58PM -0400, Stephen Smalley wrote:
> > audit(1089381994.953:0): avc:  denied  { execute_no_trans } for  pid=845 exe=/usr/bin/sudo path=/usr/sbin/sesh dev=sda3 ino=32091 scontext=user_u:user_r:user_sudo_t tcontext=system_u:object_r:shell_exec_t tclass=file
> > 
> > I receive the same results if running in staff_r or sysadm_r as well.
> 
> sudo is presently broken; the SELinux patch and policy for it are being
> reworked.  Hopefully there will be something newer in rawhide soon.

That reminds me....  I had this same problem, and I just worked around
it by allowing the avc denies for sudo, and now sudo works as I
expected it to.   

What IS unexpected is that su changes the users' context from "user_u"
(or "emf" or whatever username, naturally..) to "root"... Thus, we lose
the context audit trail of who was puttering around as root. 

Back in the old 2.4 (pre-xattr) SELinux, su never did this (it only
changed uid to 0 and left the context alone), and from my casual reading
of the flask papers; this was on purpose.  (ie: it was my understanding
that the USER would never ever change, but the ROLE and TYPE could)

So what gives? 

Thanks...


-- 
Erik Fichtner; Unix Ronin



More information about the selinux mailing list