Bug 519017 - sudo unable to authenticate
Summary: sudo unable to authenticate
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.2
Hardware: All
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-24 15:55 UTC by Doug SIkora
Modified: 2014-09-10 03:45 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 07:50:03 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
policy module source to create roles (3.85 KB, application/octet-stream)
2009-08-24 15:55 UTC, Doug SIkora
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Doug SIkora 2009-08-24 15:55:07 UTC
Created attachment 358475 [details]
policy module source to create roles

Description of problem:
sudo prevented from read /etc/shadow, should fail over to use pam.  
selinux patch to add /usr/libexec/sesh  should be added back.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1.install a rhel 5.2 system with MLS policy (I used selinux-policy-mls-2.4.6-255.el5.noarch.rpm)
2.create a new set of roles and give sudo privileges with sudo_per_role_template
3.give a user that is assigned to the new role sudo permissions with visudo
4 log in as user and try using su to do something as root, such as sudo more /etc/shadow 
  
Actual results:
sudo cannot authenticate, password is never accepted error message written to log is pam authentication errors when sudo tries to authenticate

Expected results:
user can provide password and execute command as root (via sudo)

Additional info: see attachment for example of role creation policy module

Comment 1 Daniel Walsh 2009-08-25 13:56:59 UTC
We need sudo to execute an intermediary shell to get all transitions to happen properly.  I should not have removed this from sudo in RHEL5.  sudo that is currently in Fedora 10,11, Rawhide has the sesh and works properly.

Comment 4 Milos Malik 2010-03-01 11:34:15 UTC
$ id -Z
iaoadmin_u:iaoadmin_r:iaoadmin_t:s0
$ sudo more /etc/group
sudo: unable to execute /bin/more: Permission denied

Following 2 AVCs appeared:
----
time->Mon Mar  1 06:36:03 2010
type=SYSCALL msg=audit(1267443363.336:296): arch=80000016 syscall=102 success=no exit=-13 a0=1 a1=3ffffd8b500 a2=9 a3=8 items=0 ppid=2237 pid=2238 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts2 ses=6 comm="bash" exe="/bin/bash" subj=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 key=(null)
type=AVC msg=audit(1267443363.336:296): avc:  denied  { create } for  pid=2238 comm="bash" scontext=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 tcontext=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 tclass=netlink_audit_socket
----
time->Mon Mar  1 06:36:03 2010
type=SYSCALL msg=audit(1267443363.336:300): arch=80000016 syscall=33 success=no exit=-13 a0=2aaaaae44b0 a1=1 a2=2aaaaacb2f2 a3=20000000002 items=0 ppid=2238 pid=2537 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=6 comm="sudo" exe="/usr/bin/sudo" subj=iaoadmin_u:iaoadmin_r:iaoadmin_sudo_t:s0 key=(null)
type=AVC msg=audit(1267443363.336:300): avc:  denied  { execute } for  pid=2537 comm="sudo" name="more" dev=dm-0 ino=1048667 scontext=iaoadmin_u:iaoadmin_r:iaoadmin_sudo_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----

Comment 5 Daniel Walsh 2010-03-01 15:42:25 UTC
Miroslav,  F12 has the equivalent of 

	corecmd_bin_domtrans($1_sudo_t, $2)

This needs to be added to RHEL5.


Milos, the netlink_audit_socket has to be added to your own policy.

Comment 6 Miroslav Grepl 2010-03-02 09:41:17 UTC
Added to selinux-policy-2.4.6-278.el5

Comment 9 errata-xmlrpc 2010-03-30 07:50:03 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.