Bug 1290633
Summary: | Cannot run setup-ds.pl as confined user. | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | wibrown <wibrown> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | low | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.1 | CC: | amsharma, emrakova, lvrabec, mgrepl, mmalik, mthacker, nhosoi, plautrba, pvrabec, ssekidde, vashirov, wibrown | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1330525 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 15:10:10 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1330525 |
Description
wibrown@redhat.com
2015-12-11 00:50:42 UTC
I am following the last section of - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html for configuring confined user which will have sudo permissions. But I am facing issue below issue. All steps with details =========================== [root@auto-hv-02-guest09 ~]# semanage user -a -r s0-s0:c0.c1023 -R "user_r sysadm_r" SeLinux_user_u [root@auto-hv-02-guest09 ~]# cp /etc/selinux/targeted/contexts/users/sysadm_u /etc/selinux/targeted/contexts/users/SeLinux_user_u [root@auto-hv-02-guest09 ~]# useradd Se_test [root@auto-hv-02-guest09 ~]# passwd Se_test Changing password for user se_test. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@auto-hv-02-guest09 ~]# semanage login -a -s SeLinux_user_u -rs0:c0.c1023 Se_test [root@auto-hv-02-guest09 ~]# vim /etc/sudoers.d/Se_test Se_test ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /bin/sh [root@auto-hv-02-guest09 ~]# restorecon -FR -v /home/Se_test/ restorecon reset /home/Se_test context unconfined_u:object_r:user_home_dir_t:s0->SeLinux_user_u:object_r:user_home_dir_t:s0 restorecon reset /home/Se_test/.bash_logout context unconfined_u:object_r:user_home_t:s0->SeLinux_user_u:object_r:user_home_t:s0 restorecon reset /home/Se_test/.bash_profile context unconfined_u:object_r:user_home_t:s0->SeLinux_user_u:object_r:user_home_t:s0 restorecon reset /home/Se_test/.bashrc context unconfined_u:object_r:user_home_t:s0->SeLinux_user_u:object_r:user_home_t:s0 restorecon reset /home/Se_test/.emacs context unconfined_u:object_r:user_home_t:s0->SeLinux_user_u:object_r:user_home_t:s0 ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** [Se_test@auto-hv-02-guest09 ~]$ id -Z SeLinux_user_u:user_r:user_t:s0:c0.c1023 [Se_test@auto-hv-02-guest09 ~]$ sudo -i sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted sudo: no valid sudoers sources found, quitting sudo: setresuid() [0, 0, 0] -> [1002, -1, -1]: Operation not permitted sudo: unable to initialize policy plugin [Se_test@auto-hv-02-guest09 ~]$ id -Z SeLinux_user_u:user_r:user_t:s0:c0.c1023 [root@auto-hv-02-guest09 ~]# semanage user -l | grep SELinux SELinux User Prefix MCS Level MCS Range SELinux Roles SELinux_user_u user s0 s0-s0:c0.c1023 sysadm_r [root@auto-hv-02-guest09 ~]# semanage login -l | grep SELinux Login Name SELinux User MLS/MCS Range Service se_test SELinux_user_u s0:c0.c1023 * ========================================================================================== I have my test machine in same state, if you want to take a look, plese send me a mail and I will share the setup details on mail. Note: There is a corresponding bug filed against 389-ds-base - Blocks: 1330525. I'm asking this question to Ami on the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1330525#c8 Getting selinux error, please check - https://bugzilla.redhat.com/show_bug.cgi?id=1330525#c9 Getting selinux error, please check - https://bugzilla.redhat.com/show_bug.cgi?id=1330525#c14 Error is changed now with [root@qeos-126 export]# rpm -qa | grep selinux-policy selinux-policy-targeted-3.13.1-161.el7.noarch selinux-policy-3.13.1-161.el7.noarch ---------------- [root@qeos-126 export]# rpm -qa | grep selinux-policy selinux-policy-targeted-3.13.1-161.el7.noarch selinux-policy-3.13.1-161.el7.noarch [root@qeos-126 export]# semanage user -l SELinuxUser LabelingPrefix MLS/MCSLevel MLS/MCSRange SELinuxRoles staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r [root@qeos-126 export]# semanage login -l Login Name SELinux User MLS/MCS Range Service amita staff_u s0:c0.c1023 * ----------------------------- [amsharma@dhcp201-141 ~]$ ssh amita.174.203 amita.174.203's password: *** 1minutetip system created by amsharma - Thu Jun 15 03:15:37 EDT 2017 *** [amita@qeos-126 ~]$ id -Z staff_u:staff_r:staff_t:s0:c0.c1023 [amita@qeos-126 ~]$ sudo -i We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for amita: [root@qeos-126 ~]# setup-ds.pl ============================================================================== This program will set up the 389 Directory Server. . . . . Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. You will also be prompted for the password for this user. The password must be at least 8 characters long, and contain no spaces. Press Control-B or type the word "back", then Enter to back up and start over. Directory Manager DN [cn=Directory Manager]: Password: Password (confirm): Could not import LDIF file '/tmp/ldifYgO_iV.ldif'. Error: 59648. Output: importing data ... [15/Jun/2017:03:39:00.208661436 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [15/Jun/2017:03:39:00.216139940 -0400] - INFO - dblayer_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [15/Jun/2017:03:39:00.216615521 -0400] - INFO - check_and_set_import_cache - pagesize: 4096, available bytes 1606987776, process usage 16822272 [15/Jun/2017:03:39:00.216966060 -0400] - INFO - check_and_set_import_cache - Import allocates 627729KB import cache. [15/Jun/2017:03:39:00.233169900 -0400] - INFO - import_main_offline - import userRoot: Beginning import job... [15/Jun/2017:03:39:00.233885677 -0400] - INFO - import_main_offline - import userRoot: Index buffering enabled with bucket size 100 [15/Jun/2017:03:39:00.435199641 -0400] - ERR - import_producer - import userRoot: Could not open LDIF file "/tmp/ldifYgO_iV.ldif", errno 13 (Permission denied) [15/Jun/2017:03:39:00.535521682 -0400] - ERR - import_run_pass - import userRoot: Thread monitoring returned: -23 [15/Jun/2017:03:39:00.536005270 -0400] - ERR - import_main_offline - import userRoot: Aborting all Import threads... [15/Jun/2017:03:39:06.043056442 -0400] - ERR - import_main_offline - import userRoot: Import threads aborted. [15/Jun/2017:03:39:06.043694865 -0400] - INFO - import_main_offline - import userRoot: Closing files... [15/Jun/2017:03:39:06.045388420 -0400] - INFO - dblayer_pre_close - All database threads now stopped [15/Jun/2017:03:39:06.045775026 -0400] - ERR - import_main_offline - import userRoot: Import failed. Error: Could not create directory server instance 'qeos-126'. Exiting . . . Log file is '/tmp/setupW4J276.log' LOGS - -------- [root@qeos-126 ~]# tail -f /var/log/audit/audit.log type=CRYPTO_KEY_USER msg=audit(1497512268.133:408): pid=11214 uid=0 auid=1001 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:2c:46:1e:83:1c:cf:ac:58:07:2c:90:08:a7:75:b1:9a:43:65:f4:c0:1e:bc:ec:7c:33:8e:7d:75:ab:83:44:6e direction=? spid=11219 suid=1001 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' type=USER_AUTH msg=audit(1497512287.164:409): pid=11239 uid=1001 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_ACCT msg=audit(1497512287.166:410): pid=11239 uid=1001 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_CMD msg=audit(1497512287.167:411): pid=11239 uid=1001 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success' type=CRED_REFR msg=audit(1497512287.167:412): pid=11239 uid=0 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_START msg=audit(1497512287.169:413): pid=11239 uid=0 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_ROLE_CHANGE msg=audit(1497512287.172:414): pid=11243 uid=0 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='newrole: old-context=staff_u:staff_r:staff_t:s0:c0.c1023 new-context=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=AVC msg=audit(1497512340.433:415): avc: denied { open } for pid=11310 comm="ns-slapd" path="/tmp/ldifYgO_iV.ldif" dev="vda1" ino=337257 scontext=staff_u:sysadm_r:dirsrv_t:s0:c0.c1023 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1497512340.433:415): arch=c000003e syscall=2 success=no exit=-13 a0=55b254390980 a1=0 a2=0 a3=7f8581aa78d0 items=0 ppid=11282 pid=11310 auid=1001 uid=389 gid=389 euid=389 suid=389 fsuid=389 egid=389 sgid=389 fsgid=389 tty=(none) ses=7 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=staff_u:sysadm_r:dirsrv_t:s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1497512340.433:415): proctitle=2F7573722F7362696E2F6E732D736C617064006C646966326462002D44002F6574632F6469727372762F736C6170642D71656F732D313236002D6E0075736572726F6F74002D69002F746D702F6C64696659674F5F69562E6C646966 Amita, Do you know which process created file: /tmp/ldifYgO_iV.ldif ? Thanks. (In reply to Lukas Vrabec from comment #12) > Amita, > > Do you know which process created file: /tmp/ldifYgO_iV.ldif ? Hi Lukas, It is ns-slapd process of directory server. setup-ds.pl script creates this file. > > Thanks. (In reply to Lukas Vrabec from comment #12) > Amita, > > Do you know which process created file: /tmp/ldifYgO_iV.ldif ? Hi Lukas, It is ns-slapd process of directory server. setup-ds.pl script creates this file. > > Thanks. With the lastest selinux build getting below error - [root@qeos-161 export]# rpm -qa | grep selinux selinux-policy-3.13.1-163.el7.noarch [root@qeos-161 export]# semanage user -a -r s0-s0:c0.c1023 -R "staff_r sysadm_r" staff_u [root@qeos-161 export]# useradd amita [root@qeos-161 export]# passwd amita Changing password for user amita. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@qeos-161 export]# semanage login -a -s staff_u -rs0:c0.c1023 amita [root@qeos-161 export]# echo "amita ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /bin/sh " > /etc/sudoers.d/amita [root@qeos-161 export]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r [root@qeos-161 export]# semanage login -l Login Name SELinux User MLS/MCS Range Service amita staff_u s0:c0.c1023 * [root@qeos-161 export]# restorecon -FR -v /home/amita/ restorecon reset /home/amita context unconfined_u:object_r:user_home_dir_t:s0->staff_u:object_r:user_home_dir_t:s0 restorecon reset /home/amita/.bash_logout context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0 restorecon reset /home/amita/.bash_profile context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0 restorecon reset /home/amita/.bashrc context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0 [amsharma@dhcp201-141 upstream-tests]$ ssh amita.172.84 amita.172.84's password: *** 1minutetip system created by amsharma - Wed Jun 21 06:37:25 EDT 2017 *** [amita@qeos-161 ~]$ id -Z staff_u:staff_r:staff_t:s0:c0.c1023 [amita@qeos-161 ~]$ sudo -i We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for amita: -bash: /root/.bash_profile: Permission denied -bash-4.2# LOGS ----- [root@qeos-161 export]# tail -f /var/log/audit/audit.log type=USER_START msg=audit(1498042089.711:500): pid=12366 uid=0 auid=1000 ses=5 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.65.223.46 addr=10.65.223.46 terminal=/dev/pts/1 res=success' type=CRYPTO_KEY_USER msg=audit(1498042089.720:501): pid=12366 uid=0 auid=1000 ses=5 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:7e:70:b3:82:e9:70:4a:76:f2:4e:77:a2:44:b8:d5:90:2d:ba:c5:6a:5b:c3:de:13:8e:ba:e3:f6:52:c5:2b:20 direction=? spid=12371 suid=1000 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' type=USER_AUTH msg=audit(1498042106.461:502): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_ACCT msg=audit(1498042106.462:503): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_CMD msg=audit(1498042106.463:504): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success' type=CRED_REFR msg=audit(1498042106.463:505): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_START msg=audit(1498042106.464:506): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=AVC msg=audit(1498042106.479:507): avc: denied { read } for pid=12395 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=SYSCALL msg=audit(1498042106.479:507): arch=c000003e syscall=2 success=no exit=-13 a0=1405a70 a1=0 a2=435680 a3=7f2f5949f120 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1498042106.479:507): proctitle="-bash" type=AVC msg=audit(1498042436.698:508): avc: denied { read } for pid=12395 comm="bash" name=".bash_logout" dev="vda1" ino=2548494 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=SYSCALL msg=audit(1498042436.698:508): arch=c000003e syscall=2 success=no exit=-13 a0=140e5a0 a1=0 a2=435680 a3=2 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1498042436.698:508): proctitle="-bash" type=AVC msg=audit(1498042436.699:509): avc: denied { dac_override } for pid=12395 comm="bash" capability=1 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1498042436.699:509): arch=c000003e syscall=2 success=no exit=-13 a0=1403ff0 a1=241 a2=180 a3=0 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1498042436.699:509): proctitle="-bash" type=USER_END msg=audit(1498042436.700:510): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=CRED_DISP msg=audit(1498042436.700:511): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_AUTH msg=audit(1498042441.285:512): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_ACCT msg=audit(1498042441.286:513): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_CMD msg=audit(1498042441.287:514): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success' type=CRED_REFR msg=audit(1498042441.287:515): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_START msg=audit(1498042441.287:516): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=AVC msg=audit(1498042441.300:517): avc: denied { read } for pid=12418 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=SYSCALL msg=audit(1498042441.300:517): arch=c000003e syscall=2 success=no exit=-13 a0=151ea70 a1=0 a2=435680 a3=7f7183079120 items=0 ppid=12414 pid=12418 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1498042441.300:517): proctitle="-bash" ------------------------------------------------- ausearch -ts recent time->Wed Jun 21 06:54:01 2017 type=USER_AUTH msg=audit(1498042441.285:512): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' ---- time->Wed Jun 21 06:54:01 2017 type=USER_ACCT msg=audit(1498042441.286:513): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' ---- time->Wed Jun 21 06:54:01 2017 type=USER_CMD msg=audit(1498042441.287:514): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success' ---- time->Wed Jun 21 06:54:01 2017 type=CRED_REFR msg=audit(1498042441.287:515): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' ---- time->Wed Jun 21 06:54:01 2017 type=USER_START msg=audit(1498042441.287:516): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' ---- time->Wed Jun 21 06:54:01 2017 type=PROCTITLE msg=audit(1498042441.300:517): proctitle="-bash" type=SYSCALL msg=audit(1498042441.300:517): arch=c000003e syscall=2 success=no exit=-13 a0=151ea70 a1=0 a2=435680 a3=7f7183079120 items=0 ppid=12414 pid=12418 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null) type=AVC msg=audit(1498042441.300:517): avc: denied { read } for pid=12418 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file With the lastest selinux build getting below error - [root@qeos-161 export]# rpm -qa | grep selinux selinux-policy-3.13.1-163.el7.noarch [root@qeos-161 export]# semanage user -a -r s0-s0:c0.c1023 -R "staff_r sysadm_r" staff_u [root@qeos-161 export]# useradd amita [root@qeos-161 export]# passwd amita Changing password for user amita. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@qeos-161 export]# semanage login -a -s staff_u -rs0:c0.c1023 amita [root@qeos-161 export]# echo "amita ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /bin/sh " > /etc/sudoers.d/amita [root@qeos-161 export]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r [root@qeos-161 export]# semanage login -l Login Name SELinux User MLS/MCS Range Service amita staff_u s0:c0.c1023 * [root@qeos-161 export]# restorecon -FR -v /home/amita/ restorecon reset /home/amita context unconfined_u:object_r:user_home_dir_t:s0->staff_u:object_r:user_home_dir_t:s0 restorecon reset /home/amita/.bash_logout context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0 restorecon reset /home/amita/.bash_profile context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0 restorecon reset /home/amita/.bashrc context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0 [amsharma@dhcp201-141 upstream-tests]$ ssh amita.172.84 amita.172.84's password: *** 1minutetip system created by amsharma - Wed Jun 21 06:37:25 EDT 2017 *** [amita@qeos-161 ~]$ id -Z staff_u:staff_r:staff_t:s0:c0.c1023 [amita@qeos-161 ~]$ sudo -i We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for amita: -bash: /root/.bash_profile: Permission denied -bash-4.2# LOGS ----- [root@qeos-161 export]# tail -f /var/log/audit/audit.log type=USER_START msg=audit(1498042089.711:500): pid=12366 uid=0 auid=1000 ses=5 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.65.223.46 addr=10.65.223.46 terminal=/dev/pts/1 res=success' type=CRYPTO_KEY_USER msg=audit(1498042089.720:501): pid=12366 uid=0 auid=1000 ses=5 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:7e:70:b3:82:e9:70:4a:76:f2:4e:77:a2:44:b8:d5:90:2d:ba:c5:6a:5b:c3:de:13:8e:ba:e3:f6:52:c5:2b:20 direction=? spid=12371 suid=1000 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' type=USER_AUTH msg=audit(1498042106.461:502): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_ACCT msg=audit(1498042106.462:503): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_CMD msg=audit(1498042106.463:504): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success' type=CRED_REFR msg=audit(1498042106.463:505): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_START msg=audit(1498042106.464:506): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=AVC msg=audit(1498042106.479:507): avc: denied { read } for pid=12395 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=SYSCALL msg=audit(1498042106.479:507): arch=c000003e syscall=2 success=no exit=-13 a0=1405a70 a1=0 a2=435680 a3=7f2f5949f120 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1498042106.479:507): proctitle="-bash" type=AVC msg=audit(1498042436.698:508): avc: denied { read } for pid=12395 comm="bash" name=".bash_logout" dev="vda1" ino=2548494 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=SYSCALL msg=audit(1498042436.698:508): arch=c000003e syscall=2 success=no exit=-13 a0=140e5a0 a1=0 a2=435680 a3=2 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1498042436.698:508): proctitle="-bash" type=AVC msg=audit(1498042436.699:509): avc: denied { dac_override } for pid=12395 comm="bash" capability=1 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1498042436.699:509): arch=c000003e syscall=2 success=no exit=-13 a0=1403ff0 a1=241 a2=180 a3=0 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1498042436.699:509): proctitle="-bash" type=USER_END msg=audit(1498042436.700:510): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=CRED_DISP msg=audit(1498042436.700:511): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_AUTH msg=audit(1498042441.285:512): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_ACCT msg=audit(1498042441.286:513): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_CMD msg=audit(1498042441.287:514): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success' type=CRED_REFR msg=audit(1498042441.287:515): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_START msg=audit(1498042441.287:516): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=AVC msg=audit(1498042441.300:517): avc: denied { read } for pid=12418 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=SYSCALL msg=audit(1498042441.300:517): arch=c000003e syscall=2 success=no exit=-13 a0=151ea70 a1=0 a2=435680 a3=7f7183079120 items=0 ppid=12414 pid=12418 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1498042441.300:517): proctitle="-bash" ------------------------------------------------- ausearch -ts recent time->Wed Jun 21 06:54:01 2017 type=USER_AUTH msg=audit(1498042441.285:512): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' ---- time->Wed Jun 21 06:54:01 2017 type=USER_ACCT msg=audit(1498042441.286:513): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' ---- time->Wed Jun 21 06:54:01 2017 type=USER_CMD msg=audit(1498042441.287:514): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success' ---- time->Wed Jun 21 06:54:01 2017 type=CRED_REFR msg=audit(1498042441.287:515): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' ---- time->Wed Jun 21 06:54:01 2017 type=USER_START msg=audit(1498042441.287:516): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' ---- time->Wed Jun 21 06:54:01 2017 type=PROCTITLE msg=audit(1498042441.300:517): proctitle="-bash" type=SYSCALL msg=audit(1498042441.300:517): arch=c000003e syscall=2 success=no exit=-13 a0=151ea70 a1=0 a2=435680 a3=7f7183079120 items=0 ppid=12414 pid=12418 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null) type=AVC msg=audit(1498042441.300:517): avc: denied { read } for pid=12418 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file Getting same issue as https://bugzilla.redhat.com/show_bug.cgi?id=1290633#c16 with latest build - selinux-policy.noarch 0:3.13.1-164.el7 too. [root@qeos-66 export]# rpm -qa | grep selinux selinux-policy-3.13.1-165.el7.noarch Installed DS with confined user amita - ======================================== The server must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the server, create this user and group using your native operating system utilities. System User [dirsrv]: amita System Group [dirsrv]: amita ============================================================================== The standard directory server network port number is 389. However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use. Directory server network port [389]: ============================================================================== Each instance of a directory server requires a unique identifier. This identifier is used to name the various instance specific files and directories in the file system, as well as for other uses as a server instance identifier. Directory server identifier [qeos-66]: ============================================================================== The suffix is the root of your directory tree. The suffix must be a valid DN. It is recommended that you use the dc=domaincomponent suffix convention. For example, if your domain is example.com, you should use dc=example,dc=com for your suffix. Setup will create this initial suffix for you, but you may have more than one suffix. Use the directory server utilities to create additional suffixes. Suffix [dc=lab, dc=eng, dc=rdu2, dc=redhat, dc=com]: ============================================================================== Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. You will also be prompted for the password for this user. The password must be at least 8 characters long, and contain no spaces. Press Control-B or type the word "back", then Enter to back up and start over. Directory Manager DN [cn=Directory Manager]: Password: Password (confirm): Your new DS instance 'qeos-66' was successfully created. Exiting . . . Log file is '/tmp/setupoZIS1H.log' [root@qeos-66 export]# ps auxZ | grep ns-slapd system_u:system_r:dirsrv_t:s0 amita 23069 0.0 1.4 701712 27528 ? Ssl 07:27 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-qeos-66 -i /var/run/dirsrv/slapd-qeos-66.pid Hence VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |