danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
SELinux upgrade problem - Can't execute /bin/su
danwalsh
Several people have stumbled upon a problem with upgrading to Fedora 9 from previous versions of  Fedora with SELinux.

They login and try to run /bin/su and it seems to have dissappeared or they get permission denied.  Welcome to confined users.

Fedora 9 introduced the concept of confined users including the user_u user.

This user is not allowed to run any setuid applications including /bin/su and /bin/sudo.

In Fedora 9 user_u logins get a context of user_u:user_r:user_t.

Prior to Fedora 9 the user_u users got a context of
user_u:system_r:unconfined_t


If you execute "semanage login -l" on machine prior to Fedora 9, you get  something like:

semanage login -l

Login Name                SELinux User              MLS/MCS Range           

__default__               user_u              s0-s0:c0.c1023        
root                      root             s0-s0:c0.c1023          
system_u                  system_u                  s0-s0:c0.c1023          


This tells the system to select the SELinux user user_u for all logins except for root.

In Fedora 9 we want the default  to be:

semanage login -l

Login Name                SELinux User              MLS/MCS Range           

__default__               unconfined_u              s0-s0:c0.c1023          
root                      unconfined_u              s0-s0:c0.c1023          
system_u                  system_u                  s0-s0:c0.c1023          

There is a trigger in the post install of selinux_policy that is supposed to make this happen.  But it does not seem to be happening all the time.  I am not sure why, and there is little we can do to fix it, now.

You can execute the commands to fix up your SELinux database.

# semanage login -m -S targeted  -s "unconfined_u" -r s0-s0:c0.c1023 __default__
# semanage login -m -S targeted  -s "unconfined_u" -r s0-s0:c0.c1023 root

If your system does not know about unconfined_u, you would also need to execute

# semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u

And then execute the two lines above.

What is a good SELinux reference in dead-tree format?

No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh