Bug 519017 - sudo unable to authenticate
sudo unable to authenticate
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
low Severity high
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2009-08-24 11:55 EDT by Doug SIkora
Modified: 2014-09-09 23:45 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-30 03:50:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
policy module source to create roles (3.85 KB, application/octet-stream)
2009-08-24 11:55 EDT, Doug SIkora
no flags Details

  None (edit)
Description Doug SIkora 2009-08-24 11:55:07 EDT
Created attachment 358475 [details]
policy module source to create roles

Description of problem:
sudo prevented from read /etc/shadow, should fail over to use pam.  
selinux patch to add /usr/libexec/sesh  should be added back.

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1.install a rhel 5.2 system with MLS policy (I used selinux-policy-mls-2.4.6-255.el5.noarch.rpm)
2.create a new set of roles and give sudo privileges with sudo_per_role_template
3.give a user that is assigned to the new role sudo permissions with visudo
4 log in as user and try using su to do something as root, such as sudo more /etc/shadow 
Actual results:
sudo cannot authenticate, password is never accepted error message written to log is pam authentication errors when sudo tries to authenticate

Expected results:
user can provide password and execute command as root (via sudo)

Additional info: see attachment for example of role creation policy module
Comment 1 Daniel Walsh 2009-08-25 09:56:59 EDT
We need sudo to execute an intermediary shell to get all transitions to happen properly.  I should not have removed this from sudo in RHEL5.  sudo that is currently in Fedora 10,11, Rawhide has the sesh and works properly.
Comment 4 Milos Malik 2010-03-01 06:34:15 EST
$ id -Z
$ sudo more /etc/group
sudo: unable to execute /bin/more: Permission denied

Following 2 AVCs appeared:
time->Mon Mar  1 06:36:03 2010
type=SYSCALL msg=audit(1267443363.336:296): arch=80000016 syscall=102 success=no exit=-13 a0=1 a1=3ffffd8b500 a2=9 a3=8 items=0 ppid=2237 pid=2238 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts2 ses=6 comm="bash" exe="/bin/bash" subj=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 key=(null)
type=AVC msg=audit(1267443363.336:296): avc:  denied  { create } for  pid=2238 comm="bash" scontext=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 tcontext=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 tclass=netlink_audit_socket
time->Mon Mar  1 06:36:03 2010
type=SYSCALL msg=audit(1267443363.336:300): arch=80000016 syscall=33 success=no exit=-13 a0=2aaaaae44b0 a1=1 a2=2aaaaacb2f2 a3=20000000002 items=0 ppid=2238 pid=2537 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=6 comm="sudo" exe="/usr/bin/sudo" subj=iaoadmin_u:iaoadmin_r:iaoadmin_sudo_t:s0 key=(null)
type=AVC msg=audit(1267443363.336:300): avc:  denied  { execute } for  pid=2537 comm="sudo" name="more" dev=dm-0 ino=1048667 scontext=iaoadmin_u:iaoadmin_r:iaoadmin_sudo_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
Comment 5 Daniel Walsh 2010-03-01 10:42:25 EST
Miroslav,  F12 has the equivalent of 

	corecmd_bin_domtrans($1_sudo_t, $2)

This needs to be added to RHEL5.

Milos, the netlink_audit_socket has to be added to your own policy.
Comment 6 Miroslav Grepl 2010-03-02 04:41:17 EST
Added to selinux-policy-2.4.6-278.el5
Comment 9 errata-xmlrpc 2010-03-30 03:50:03 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.