Created attachment 358475 [details] policy module source to create roles Description of problem: sudo prevented from read /etc/shadow, should fail over to use pam. selinux patch to add /usr/libexec/sesh should be added back. Version-Release number of selected component (if applicable): How reproducible: every time Steps to Reproduce: 1.install a rhel 5.2 system with MLS policy (I used selinux-policy-mls-2.4.6-255.el5.noarch.rpm) 2.create a new set of roles and give sudo privileges with sudo_per_role_template 3.give a user that is assigned to the new role sudo permissions with visudo 4 log in as user and try using su to do something as root, such as sudo more /etc/shadow Actual results: sudo cannot authenticate, password is never accepted error message written to log is pam authentication errors when sudo tries to authenticate Expected results: user can provide password and execute command as root (via sudo) Additional info: see attachment for example of role creation policy module
We need sudo to execute an intermediary shell to get all transitions to happen properly. I should not have removed this from sudo in RHEL5. sudo that is currently in Fedora 10,11, Rawhide has the sesh and works properly.
$ id -Z iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 $ sudo more /etc/group sudo: unable to execute /bin/more: Permission denied Following 2 AVCs appeared: ---- time->Mon Mar 1 06:36:03 2010 type=SYSCALL msg=audit(1267443363.336:296): arch=80000016 syscall=102 success=no exit=-13 a0=1 a1=3ffffd8b500 a2=9 a3=8 items=0 ppid=2237 pid=2238 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts2 ses=6 comm="bash" exe="/bin/bash" subj=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 key=(null) type=AVC msg=audit(1267443363.336:296): avc: denied { create } for pid=2238 comm="bash" scontext=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 tcontext=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 tclass=netlink_audit_socket ---- time->Mon Mar 1 06:36:03 2010 type=SYSCALL msg=audit(1267443363.336:300): arch=80000016 syscall=33 success=no exit=-13 a0=2aaaaae44b0 a1=1 a2=2aaaaacb2f2 a3=20000000002 items=0 ppid=2238 pid=2537 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=6 comm="sudo" exe="/usr/bin/sudo" subj=iaoadmin_u:iaoadmin_r:iaoadmin_sudo_t:s0 key=(null) type=AVC msg=audit(1267443363.336:300): avc: denied { execute } for pid=2537 comm="sudo" name="more" dev=dm-0 ino=1048667 scontext=iaoadmin_u:iaoadmin_r:iaoadmin_sudo_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file ----
Miroslav, F12 has the equivalent of corecmd_bin_domtrans($1_sudo_t, $2) This needs to be added to RHEL5. Milos, the netlink_audit_socket has to be added to your own policy.
Added to selinux-policy-2.4.6-278.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html