Bug 519017 - sudo unable to authenticate
sudo unable to authenticate
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.2
All Linux
low Severity high
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-24 11:55 EDT by Doug SIkora
Modified: 2014-09-09 23:45 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-30 03:50:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
policy module source to create roles (3.85 KB, application/octet-stream)
2009-08-24 11:55 EDT, Doug SIkora
no flags Details

  None (edit)
Description Doug SIkora 2009-08-24 11:55:07 EDT
Created attachment 358475 [details]
policy module source to create roles

Description of problem:
sudo prevented from read /etc/shadow, should fail over to use pam.  
selinux patch to add /usr/libexec/sesh  should be added back.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1.install a rhel 5.2 system with MLS policy (I used selinux-policy-mls-2.4.6-255.el5.noarch.rpm)
2.create a new set of roles and give sudo privileges with sudo_per_role_template
3.give a user that is assigned to the new role sudo permissions with visudo
4 log in as user and try using su to do something as root, such as sudo more /etc/shadow 
  
Actual results:
sudo cannot authenticate, password is never accepted error message written to log is pam authentication errors when sudo tries to authenticate

Expected results:
user can provide password and execute command as root (via sudo)

Additional info: see attachment for example of role creation policy module
Comment 1 Daniel Walsh 2009-08-25 09:56:59 EDT
We need sudo to execute an intermediary shell to get all transitions to happen properly.  I should not have removed this from sudo in RHEL5.  sudo that is currently in Fedora 10,11, Rawhide has the sesh and works properly.
Comment 4 Milos Malik 2010-03-01 06:34:15 EST
$ id -Z
iaoadmin_u:iaoadmin_r:iaoadmin_t:s0
$ sudo more /etc/group
sudo: unable to execute /bin/more: Permission denied

Following 2 AVCs appeared:
----
time->Mon Mar  1 06:36:03 2010
type=SYSCALL msg=audit(1267443363.336:296): arch=80000016 syscall=102 success=no exit=-13 a0=1 a1=3ffffd8b500 a2=9 a3=8 items=0 ppid=2237 pid=2238 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts2 ses=6 comm="bash" exe="/bin/bash" subj=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 key=(null)
type=AVC msg=audit(1267443363.336:296): avc:  denied  { create } for  pid=2238 comm="bash" scontext=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 tcontext=iaoadmin_u:iaoadmin_r:iaoadmin_t:s0 tclass=netlink_audit_socket
----
time->Mon Mar  1 06:36:03 2010
type=SYSCALL msg=audit(1267443363.336:300): arch=80000016 syscall=33 success=no exit=-13 a0=2aaaaae44b0 a1=1 a2=2aaaaacb2f2 a3=20000000002 items=0 ppid=2238 pid=2537 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=6 comm="sudo" exe="/usr/bin/sudo" subj=iaoadmin_u:iaoadmin_r:iaoadmin_sudo_t:s0 key=(null)
type=AVC msg=audit(1267443363.336:300): avc:  denied  { execute } for  pid=2537 comm="sudo" name="more" dev=dm-0 ino=1048667 scontext=iaoadmin_u:iaoadmin_r:iaoadmin_sudo_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----
Comment 5 Daniel Walsh 2010-03-01 10:42:25 EST
Miroslav,  F12 has the equivalent of 

	corecmd_bin_domtrans($1_sudo_t, $2)

This needs to be added to RHEL5.


Milos, the netlink_audit_socket has to be added to your own policy.
Comment 6 Miroslav Grepl 2010-03-02 04:41:17 EST
Added to selinux-policy-2.4.6-278.el5
Comment 9 errata-xmlrpc 2010-03-30 03:50:03 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html

Note You need to log in before you can comment on or make changes to this bug.