I recently switched from FC4 targeted (enforcing) to strict (permissive) using selinux-policy-strict-1.27.1-2.16.noarch.rpm. I did a touch /.autorelabel before rebooting.
I see this: [bruce@BorgCube ~]$ su - Password: Error sending status request (Operation not permitted) [root@BorgCube ~]#
The last part of the /var/log/audit/audit.log shows: type=SYSCALL msg=audit(1138247001.111:13162965): arch=40000003 syscall=5 success=yes exit=3 a0=866125b a1=c2 a2=180 a3=3a8083 items=1 pid=8250 auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=AVC msg=audit(1138247001.111:13162965): avc: denied { create } for pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t tcontext=user_u:object_r:sysadm_home_dir_t tclass=file type=AVC msg=audit(1138247001.111:13162965): avc: denied { add_name } for pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir type=AVC msg=audit(1138247001.111:13162965): avc: denied { write } for pid=8250 comm="su" name=root dev=dm-0 ino=11392129 scontext=user_u:user_r:user_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir type=SYSCALL msg=audit(1138247001.111:13162967): arch=40000003 syscall=207 success=yes exit=0 a0=3 a1=0 a2=0 a3=0 items=0 pid=8250 auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=AVC msg=audit(1138247001.111:13162967): avc: denied { setattr } for pid=8250 comm="su" name=.xauthVpNVFy dev=dm-0 ino=11392172 scontext=user_u:user_r:user_t tcontext=user_u:object_r:sysadm_home_dir_t tclass=file type=USER msg=audit(1138247001.325:13165423): user pid=8250 uid=501 auid=4294967295 msg='PAM session open: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/2 result=Success)'
Any ideas?
If I change to strict, enforcing, will this prevent me from su to root?
Bruce
On Thursday 26 January 2006 14:51, Bruce Ecroyd bruce.ecroyd@gmail.com wrote:
The last part of the /var/log/audit/audit.log shows: type=SYSCALL msg=audit(1138247001.111:13162965): arch=40000003 syscall=5 success=yes exit=3 a0=866125b a1=c2 a2=180 a3=3a8083 items=1 pid=8250 auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=AVC msg=audit(1138247001.111:13162965): avc: denied { create } for pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t tcontext=user_u:object_r:sysadm_home_dir_t tclass=file
When running as user_u you should not be creating any files in a directory with label sysadm_home_dir_t. If such file creation was permitted then user_t would be able to subvert sysadm_t.
If I change to strict, enforcing, will this prevent me from su to root?
If you login as staff_r:staff_t then you will be able to su to root with administrative privs, otherwise not. This is by design.
selinux@lists.fedoraproject.org