• 1

Re: staff_r role privileges

Aug 13 14:39:55 xyz kernel: audit(1218618595.898:5): avc: denied { transition } for pid=2058 comm="sudo" path="/usr/local/libexec/sesh" dev=hda9 ino=96888 scontext=admin_u:staff_r:staff_t:s0 tcontext=admin_u:sysadm_r:sysadm_t:s0 tclass=process

audit2why on above avc gives:-

Was caused by:
Constraint violation.
Check policy/constraints.
Typically, you just need to add a type attribute to the domain to satisfy the constraint.


With correct interface file defined I added

userdom_role_change_template(staff, sysadm)
userdom_dontaudit_use_sysadm_terms(staff_t)

to my .te file and loaded the resultant policy.

Still I don't have any success... When I issue "sudo /sbin/reboot" as admin user, the terminal logout happens..(but no reboot!)

Re: staff_r role privileges

Are you seeing an additional AVC? Do you see anything in the log files?

Re: staff_r role privileges

Hi Dan,

The same avc is still coming: -

Aug 18 15:56:34 xyz kernel: audit(1219055194.331:6): avc: denied { transition } for pid=2128 comm="sudo" path="/usr/local/libexec/sesh" dev=hda9 ino=96888 scontext=admin_u:staff_r:staff_t:s0 tcontext=admin_u:sysadm_r:sysadm_t:s0 tclass=process

I'm wondering why the following type-enforcement rule is still not working????

allow staff_t sysadm_t:process { siginh rlimitinh transition noatsecure };





Re: staff_r role privileges

Well there is something wrong with your policy.

I just setup everything you are describing in Fedora 10 and it worked correctly.

I created an admin_u account.

# semanage user -a -R"staff_r sysadm_r" admin_u
# useradd -Z admin_u admin
# cp /etc/selinux/context/users/staff_u /etc/selinux/contexts/users/admin_u
# visudo
admin ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t ALL

Login as admin
> id -Z
admin_u:staff_r:staff_t:s0
> sudo sh
[sudo] password for admin:
# id -Z
admin_u:sysadm_r:sysadm_t:s0

I would look at your definition of sysadm and see if it is missing some attribute. It might not see sysadm_t as a domain?

Since this is not a RHEL or Fedora policy please bring up discussion on the NSA list

  • 1
?

Log in