Bug 120108
Summary: | su'ing to root causes pam_xauth error | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Albert Strasheim <13640887> | ||||
Component: | policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | gbpeck, pgraner, twaugh | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2004-06-14 21:16:39 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Albert Strasheim
2004-04-06 00:53:31 UTC
Fixed in rawhide. policy-1.9.2-12 I don't have permission to reopen this bug, but I'm still seeing this problem with policy-1.11.2-18. The avc message, however, is now a little bit different: audit(1083040037.542:0): avc: denied { add_name } for pid=2297 exe=/bin/su name=.xauthyWmC0t scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir I still get the same pam_xauth error as above. I still see audit messages from 'su' user_r -> sysadm_r as well. I don't see add_name, but instead: search in user_home_t (~/.xauth). This comment in domains/user.te indicates that the xauthority stuff isn't meant to work in SELinux: # When an ordinary user domain runs su, su may try to # update the /root/.Xauthority file, and the user shell may # try to update the shell history. This isnt allowed, but # we dont need to audit it. Here is the audit message I see: audit(1084183402.517:0): avc: denied { search } for pid=29842 exe=/bin/su name=.xauth dev=hda6 ino=261622 scontext=user_u:user_r:user_su_t tcontext=system_u:object_r:user_home_t tclass=dir and here is the change to avoid auditing it: --- ./domains/user.te.su 2004-05-10 11:04:13.213489808 +0100 +++ ./domains/user.te 2004-05-10 11:05:26.664323584 +0100 @@ -18,7 +18,7 @@ # update the /root/.Xauthority file, and the user shell may # try to update the shell history. This isnt allowed, but # we dont need to audit it. -dontaudit $1_su_t sysadm_home_dir_t:dir search; +dontaudit $1_su_t { sysadm_home_dir_t $1_home_t }:dir search; dontaudit $1_su_t sysadm_home_t:dir { read getattr search write add_name remove_name }; dontaudit $1_su_t sysadm_home_t:file { read getattr create write link unlink }; ') dnl ifdef su.te Added dontaudit $1_su_t { sysadm_home_dir_t staff_home_t }:dir search; to policy-1.11.3-5 It needs to be dontaudit $1_su_t { sysadm_home_dir_t $1_home_t }:dir search; I'm still getting: audit(1084373394.830:0): avc: denied { search } for pid=29955 exe=/bin/su name=.xauth dev=hda6 ino=261622 scontext=user_u:user_r:user_su_t tcontext=system_u:object_r:user_home_t tclass=dir Created attachment 100185 [details]
policy-su.patch
Patch relative to 1.11.3-5.
With policy-1.11.3-5, audit2allow says I still need: allow user_su_t staff_home_dir_t:dir { add_name remove_name }; allow user_su_t staff_home_dir_t:file { create setattr }; Try out selinux-policy-strict-1.13.2-7 I needed to use my rawhide computer for actual work :) and had to switch to selinux-policy-targeted in the meantime. I won't have time to test this for the foreseeable future. |