• 1

Re: staff_r role privileges

I think you have a problem in your policy. I tried what you explained above on Fedora 9 and it worked fine.

I think you might be getting a constraint violation

Run the transition rule through audit2why and I think you will see what the problem is.

Fedora has these calls in it
userdom_role_change_template(staff, sysadm)

Re: staff_r role privileges

Added following lines to my .te file :
userdom_role_change_template(staff, sysadm)

But when tried to make module, got following error:

[root@xyz ~]# checkmodule -M -m test.te -o test.mod
checkmodule: loading policy configuration from test.te
(unknown source)::ERROR 'syntax error' at token 'userdom_role_change_template' on line 42:
userdom_role_change_template(staff, sysadm)

checkmodule: error(s) encountered while parsing configuration

[root@xyz ~]# checkmodule -V
Module versions 4-6

I think checkmodule policy compiler is not recognizing "userdom_role_change_template".

any ideas why????

Re: staff_r role privileges

You don't have the interface defined.

role $1_r, $2_r;
type $1_t, $2_t;
type $1_devpts_t, $2_devpts_t;
type $1_tty_device_t, $2_tty_device_t;

allow $1_r $2_r;
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
# avoid annoying messages on terminal hangup
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;

Re: staff_r role privileges

Aug 13 14:39:55 xyz kernel: audit(1218618595.898:5): avc: denied { transition } for pid=2058 comm="sudo" path="/usr/local/libexec/sesh" dev=hda9 ino=96888 scontext=admin_u:staff_r:staff_t:s0 tcontext=admin_u:sysadm_r:sysadm_t:s0 tclass=process

audit2why on above avc gives:-

Was caused by:
Constraint violation.
Check policy/constraints.
Typically, you just need to add a type attribute to the domain to satisfy the constraint.

With correct interface file defined I added

userdom_role_change_template(staff, sysadm)

to my .te file and loaded the resultant policy.

Still I don't have any success... When I issue "sudo /sbin/reboot" as admin user, the terminal logout happens..(but no reboot!)

Re: staff_r role privileges

Are you seeing an additional AVC? Do you see anything in the log files?

Re: staff_r role privileges

Hi Dan,

The same avc is still coming: -

Aug 18 15:56:34 xyz kernel: audit(1219055194.331:6): avc: denied { transition } for pid=2128 comm="sudo" path="/usr/local/libexec/sesh" dev=hda9 ino=96888 scontext=admin_u:staff_r:staff_t:s0 tcontext=admin_u:sysadm_r:sysadm_t:s0 tclass=process

I'm wondering why the following type-enforcement rule is still not working????

allow staff_t sysadm_t:process { siginh rlimitinh transition noatsecure };

Re: staff_r role privileges

Well there is something wrong with your policy.

I just setup everything you are describing in Fedora 10 and it worked correctly.

I created an admin_u account.

# semanage user -a -R"staff_r sysadm_r" admin_u
# useradd -Z admin_u admin
# cp /etc/selinux/context/users/staff_u /etc/selinux/contexts/users/admin_u
# visudo
admin ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t ALL

Login as admin
> id -Z
> sudo sh
[sudo] password for admin:
# id -Z

I would look at your definition of sysadm and see if it is missing some attribute. It might not see sysadm_t as a domain?

Since this is not a RHEL or Fedora policy please bring up discussion on the NSA list

  • 1

Log in