• 1
I was just wondering if there was any way to fully switch to the new user's context. As I stated above, I'm aware of the role and type options.

Anyway I set up as describe in this chain. I added user_r to staff_u. Again I'm using Fedora 10 with selinux in enforcing/targeted mode. When I run sudo with out specifying the role and type it works fine. When I try the following command:

sudo -u firefox -r user_r -t user_t /usr/bin/id

I get these errors:

sudo: unable to open /dev/pts/0: Permission denied
sudo: unable to setup tty context for staff_u:user_r:user_t:s0: Permission denied

For some reason it is trying to set the context of tty device to that of the user. The permissions and context of /dev/pts/0 is as it should be:

crw--w---- dcove tty staff_u:object_r:staff_devpts_t:s0 0

I tried sudo from a console window with the same result. I tried setting role and type in the sudoers file instead of command line with the same result. Is this a known issue in Fedora 10? If not, do you have any suggestions on how to fix this? Thanks.

Please download selinux-policy-3.5.13-34.fc10 from koji to see if that solves your problem.

THe policy was not allowing staff_t->user_t transitions.

Thank you for your assistance. This weekend, I tried installing selinux-policy-3.5.13-34.fc10 and selinux-policy-targeted-3.5.13-34.fc10. It didn't change the behavior of sudo. It is still failing with the same errors when trying to transition from staff_t->user_t.

BTW, whether you successfully sudo with the same context or unsuccessfully sudo trying to transition from staff_t to user_t, the same four entries are in audit.log all with res=success. They are CRED_ACQ, USER_START, USER_END, and USER_CMD. There are no failures in audit.log

Looks like a bug in sudo, this does not work in permissive mode, if I remove the changing of the context it works.

The problem is sudo is changing the real and effective user id before it tries to set the terminal context, so it basically drops privs before running the SELinux code. And the user is not allowed to modify the attributes of the terminal.

Thank you very much. I'll keep an eye out for an update to sudo that fixes this. But, shouldn't it be trying to set the tty context to staff_u:object_r:user_tty_device_t instead of staff_u:user_r:user_t? Just curious.

it is trying to set the context to staff_u:object_r:user_tty_device_t. staff_u:user_r:user_t is the context of the process.

  • 1

Log in