Bug 519017

Summary:

sudo unable to authenticate

Product:

Red Hat Enterprise Linux 5

Reporter:

Doug SIkora <dsikora>

Component:

selinux-policy

Assignee:

Daniel Walsh <dwalsh>

Status:

CLOSED ERRATA

QA Contact:

BaseOS QE Security Team <qe-baseos-security>

Severity:

high

Docs Contact:

Priority:

low

Version:

5.2

CC:

dkopecek, dsikora, dwalsh, ebenes, mgrepl, mmalik, mransom, sgrubb

Target Milestone:

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2010-03-30 07:50:03 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
policy module source to create roles	none

Description Doug SIkora 2009-08-24 15:55:07 UTC

Created attachment 358475 [details]
policy module source to create roles

Description of problem:
sudo prevented from read /etc/shadow, should fail over to use pam.  
selinux patch to add /usr/libexec/sesh  should be added back.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1.install a rhel 5.2 system with MLS policy (I used selinux-policy-mls-2.4.6-255.el5.noarch.rpm)
2.create a new set of roles and give sudo privileges with sudo_per_role_template
3.give a user that is assigned to the new role sudo permissions with visudo
4 log in as user and try using su to do something as root, such as sudo more /etc/shadow 
  
Actual results:
sudo cannot authenticate, password is never accepted error message written to log is pam authentication errors when sudo tries to authenticate

Expected results:
user can provide password and execute command as root (via sudo)

Additional info: see attachment for example of role creation policy module

Comment 1 Daniel Walsh 2009-08-25 13:56:59 UTC

We need sudo to execute an intermediary shell to get all transitions to happen properly.  I should not have removed this from sudo in RHEL5.  sudo that is currently in Fedora 10,11, Rawhide has the sesh and works properly.

Comment 4 Milos Malik 2010-03-01 11:34:15 UTC

$ id -Z
iaoadmin_u:iaoadmin_r:iaoadmin_t:s0
$ sudo more /etc/group
sudo: unable to execute /bin/more: Permission denied

Following 2 AVCs appeared:
----
time->Mon Mar  1 06:36:03 2010
type=SYSCALL msg=audit(1267443363.336:296): arch=80000016 syscall=102 success=no exit=-13 a0=1 a1=3ffffd8b500 a2=9 a3=8 items=0 ppid=2237 pid=2238 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts2 ses=6 comm="bash" exe="/bin/bash" subj=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 key=(null)
type=AVC msg=audit(1267443363.336:296): avc:  denied  { create } for  pid=2238 comm="bash" scontext=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 tcontext=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 tclass=netlink_audit_socket
----
time->Mon Mar  1 06:36:03 2010
type=SYSCALL msg=audit(1267443363.336:300): arch=80000016 syscall=33 success=no exit=-13 a0=2aaaaae44b0 a1=1 a2=2aaaaacb2f2 a3=20000000002 items=0 ppid=2238 pid=2537 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=6 comm="sudo" exe="/usr/bin/sudo" subj=iaoadmin_u:iaoadmin_r:iaoadmin_sudo_t:s0 key=(null)
type=AVC msg=audit(1267443363.336:300): avc:  denied  { execute } for  pid=2537 comm="sudo" name="more" dev=dm-0 ino=1048667 scontext=iaoadmin_u:iaoadmin_r:iaoadmin_sudo_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----

Comment 5 Daniel Walsh 2010-03-01 15:42:25 UTC

Miroslav,  F12 has the equivalent of 

	corecmd_bin_domtrans($1_sudo_t, $2)

This needs to be added to RHEL5.


Milos, the netlink_audit_socket has to be added to your own policy.

Comment 6 Miroslav Grepl 2010-03-02 09:41:17 UTC

Added to selinux-policy-2.4.6-278.el5

Comment 9 errata-xmlrpc 2010-03-30 07:50:03 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html