On 10/26/2012 10:45 AM, Stan Sander wrote:
> Probably something I don't have tweaked just right, but a while ago when
> I tried to sudo it failed. I built this system at least 6 months ago
> and followed the procedures that were posted at that time, but then
> wasn't able to work towards putting SELinux in enforcing mode until this
> past week.
>
> sudo: unable to get default type for role sysadm_r
> sudo: unable to execute /bin/bash: Invalid argument
>
> I tried again after running newrole to switch to sysadm_r, but got the
> same result.
>
> The denials in the logs were:
>
> Oct 26 09:19:45 iax sudo: stan : TTY=pts/1 ; PWD=/home/stan ;
> USER=root ; COMMAND=/bin/bash
> Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session opened
> for user root by stan(uid=0)
> Oct 26 09:19:45 iax kernel: type=1400 audit(1351264785.307:8824410):
> avc: denied { read } for pid=20130 comm="sudo" name="default_type"
> dev="sda3" ino=6717702 scontext=stan:staff_r:staff_sudo_t
> tcontext=system_u:object_r:default_context_t tclass=file
> Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session closed
> for user root
>
> find / -inum 6717702
> /etc/selinux/strict/contexts/default_type
>
> I checked and indeed none of the sudo types have permissions for that
> file and I don't see any booleans to change it either, so what am I missing?
>
> sesearch -t default_context_t -c file -ACd
> Found 19 semantic av rules:
> allow initrc_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow run_init_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow useradd_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow sysadm_dbusd_t default_context_t : file { ioctl read getattr
> lock open } ;
> allow system_dbusd_t default_context_t : file { ioctl read getattr
> lock open } ;
> allow sulogin_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow staff_dbusd_t default_context_t : file { ioctl read getattr
> lock open } ;
> allow local_login_t default_context_t : file { ioctl read getattr
> lock open } ;
> allow sysadm_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow setfiles_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow user_dbusd_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow sshd_t default_context_t : file { ioctl read getattr lock open } ;
> allow semanage_t default_context_t : file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
> allow staff_t default_context_t : file { ioctl read getattr lock open
> } ;
> allow newrole_t default_context_t : file { ioctl read getattr lock
> open } ;
> allow nscd_t default_context_t : file { ioctl read getattr lock open } ;
> allow udev_t default_context_t : file { ioctl read getattr lock open } ;
> allow crond_t default_context_t : file { ioctl read getattr lock open
> } ;
> allow user_t default_context_t : file { ioctl read getattr lock open } ;
> Can you give us the command you were trying to run (for instance 'sudo -r sysadm_r -t sysadm_t repoman manifest') also, 'rlpkg -a -r' just in case (I know you said you did it, but do it again anyway :D -- -- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
