Bug 145876

Summary: Unable to su in single mode
Product: [Fedora] Fedora Reporter: Ivan Gyurdiev <ivg231>
Component: selinux-policy-strictAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: kwade, notting, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 1.25.4-10.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-15 15:59:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 118757, 151189    

Description Ivan Gyurdiev 2005-01-22 23:11:22 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
audit(1106432753.125:0): security_compute_sid:  invalid context
system_u:system_r:sysadm_chkpwd_t for
scontext=system_u:system_r:sysadm_su_t
tcontext=system_u:object_r:chkpwd_exec_t tclass=process




Version-Release number of selected component (if applicable):
selinux-policy-strict-1.21.2-7

How reproducible:
Didn't try

Steps to Reproduce:
  

Additional info:
Comment 1 Daniel Walsh 2005-01-24 20:53:46 UTC 
Can you try 
make -C /etc/selinux/strict/src/policy load 

and see if this goes away?
Comment 2 Ivan Gyurdiev 2005-01-25 02:40:29 UTC 
Reload the policy? I always do that. It doesn't fix it.
Why is the single user role system_r. Shouldn't it be sysadm_r? 

system_r's not allowed to sysadm_chkpwd_t I think

Where is the role set - I couldn't figure that out.
Comment 3 Stephen Smalley 2005-01-25 15:05:16 UTC 
sulogin will manually set the security context for you if you have configured
/etc/inittab to run it for single-user mode, see man 5 inittab.
Otherwise, there is a default transition to sysadm_t when init runs a shell, but
that won't set the role.  And we likely don't want to auto transition roles from
system_r to sysadm_r upon shell_exec_t, as that would have other implications.
Comment 4 Stephen Smalley 2005-01-25 16:07:00 UTC 
Need to patch init to explicitly set the security context if the single user shell
is not sulogin.  Just a get_default_context("root", NULL, &newcon);
setexeccon(newcon); prior to exec'ing the single user shell.
Comment 5 Daniel Walsh 2005-01-26 23:12:07 UTC 
This looks to be very hacky.  I am not crazy about doing this.  

Bill, do you have any ideas?

Dan
Comment 6 Bill Nottingham 2005-01-27 05:36:46 UTC 
Can we do the auto transation only when it's execed by init?
Comment 7 Stephen Smalley 2005-01-27 12:14:30 UTC 
No, role transitions are just based on the current role and the program file's
TE type, e.g. role_transition system_r shell_exec_t sysadm_r;, and that would
affect all system processes.  Now, it should be noted that this is only an issue
with strict policy, not targeted, and that if someone is using strict policy, we
could just recommend that they change inittab to run sulogin as the single user
shell, as that is what any security-conscious person is going to do anyway.  Not
sure why it isn't the default.
Comment 8 Bill Nottingham 2005-01-27 17:26:06 UTC 
The reason it's not the default is because if you can get to single user mode,
you can already get root, easily. (either through other bootloader args, or, if
you're running 'telinit', you're already root. So, an additional request of the
root password is not generally useful without other changes.
Comment 9 Ivan Gyurdiev 2005-02-10 01:30:33 UTC 
Status of this bug from a user's perspective:

- still in system_r
- su to root opens and closes session immediately with no denials in enforcing mode
- su to root works fine in permissive mode with the following denials:

audit(1107996617.937:0): avc:  denied  { relabelfrom } for  pid=2158 exe=/bin/su
name=console dev=tmpfs ino=531 scontext=system_u:system_r:sysadm_su_t
tcontext=system_u:object_r:console_device_t tclass=chr_file

audit(1107996617.937:0): avc:  denied  { relabelto } for  pid=2158 exe=/bin/su
name=console dev=tmpfs ino=531 scontext=system_u:system_r:sysadm_su_t
tcontext=root:object_r:console_device_t tclass=chr_file

- su to regular user produces the following denial:

audit(1107996433.925:0): avc:  denied  { read write } for  pid=2078
exe=/bin/bash name=console dev=tmpfs ino=531 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:console_device_t tclass=chr_file
Comment 10 Ivan Gyurdiev 2005-03-13 05:45:23 UTC 
What is the status of this bug?
I think it's still broken. 
Will init be changed?
Comment 11 Daniel Walsh 2005-04-21 13:24:43 UTC 
I think I agree with Steven the best solution is to recommend

Change inittab to run sulogin as the single user shell.

              ~:S:wait:/sbin/sulogin

Be added to inittab for strict/mls policy.

Dan
Comment 12 Ivan Gyurdiev 2005-05-10 16:26:52 UTC 
I thought this was supposed to be fixed?
I remember seeing something in the Fedora changelog about 
using sulogin. Retested and it's still broken.

I see an inittab.rpmnew in /etc, but the only thing it 
changes is to set my default runlevel to 3 (not sure why).

This is: initscripts-8.09-1
Comment 13 Karsten Wade 2005-09-15 18:50:39 UTC 
Adding as a blocker against the SELinux FAQ tracker bug #118757.
Comment 14 Karsten Wade 2005-09-15 18:53:09 UTC 
Oops, also added the master release notes tracker bug #151189 as a blocker. 
We'll track this recommendation for inclusion in the FC5 test/release notes, if
needed.