LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 03-11-2012, 07:31 PM   #1
theillien
Member
 
Registered: Jan 2004
Posts: 107

Rep: Reputation: 0
selinux problem with staff_u


I'm reading chapter 4 in Michael Jang's RHCSA/RHCE study guide. In the final exercise it says to set the user type for a regular user to staff_u. This type indicates that the users it applies to should have sudo and su rights. However, I seem to have encountered a problem with it.

After applying the staff_u type to a regular user, logging in as that user and then running `sudo su -` it is first telling me to enter my password, then the target user's password. Normally, I only need to enter my own as I'm not using the targetpw setting in the sudoers file.

Once it accepts my password and then the target password it takes a while to authenticate. Once it does I'm told I don't have permission to the /root/.bash_profile file so my environment is very useless. When I try to do an ls on the directory I get the same error.

Anyone know what the problem could be?
 
Old 03-12-2012, 01:16 PM   #2
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,689

Rep: Reputation: 305Reputation: 305Reputation: 305Reputation: 305
@ Reply

Hi theillien

Is there any specific reason you are running the following command?

Code:
sudo su -
The reason it is prompting for your password because you did a sudo and it does not appear that in /etc/sudoers you have used NOPASSWD: switch for the user account from which you are trying to run sudo.

When you are su - ing then there is no need to use sudo. You can directory do that using the following command:

Code:
su -
or

Code:
su - root

Last edited by T3RM1NVT0R; 03-12-2012 at 02:17 PM.
 
Old 03-12-2012, 08:47 PM   #3
theillien
Member
 
Registered: Jan 2004
Posts: 107

Original Poster
Rep: Reputation: 0
sudo su - is force of habit. Running sudo keeps better track of who did what. It's what I do at work and it carries over to my studying.

The NOPASSWD: option does indeed eliminate the need to enter a password. However, when it is not present and I am presented with the password prompt, it is not normal behavior for it to ask for mine, and then ask for root's. It typically only asks for mine. Or, if I have targetpw set in the sudoers file, it only asks for root's. Not both.

Finally, this only became an issue when I applied the staff_u user type to my account. When I have no specific type leaving it at __default__ it works fine. That said, the problem isn't the command I'm running which is perfectly common. The problem appears to be with selinux. On the surface, anyway.
 
Old 03-12-2012, 10:24 PM   #4
elfenlied
Member
 
Registered: Dec 2004
Posts: 83

Rep: Reputation: 8
I am reading the same book at the moment. In fact Michael Jang is a member of this forum and frequently responds to questions about said book (http://www.linuxquestions.org/questi...05#post4620605).

I think you might have misunderstood something in that chapter, from what I got from it was that assigning a user the staff_u context they were able to execute sudo but not su (for reasons as you've mentioned regarding logging I assume). Try it, if you do a "su -" it won't work but if you "sudo <command>" it will.
 
Old 03-14-2012, 09:10 PM   #5
theillien
Member
 
Registered: Jan 2004
Posts: 107

Original Poster
Rep: Reputation: 0
I looked into it to determine if I was just misreading it. I think I have it
right. According to table 4-8 on page 239, the staff_u role has access to the
sudo command. The user_u role does not have access to the sudo or
su commands (paragraph 4; same page).

I switched my account back to staff_u and logged back in. When I attempted to
run su I was told it couldn't be found. When I attempted to run
sudo with another command, /usr/sbin/visudo first and then
/sbin/service iptables stop second, I was unable to. sudo
/usr/sbin/visudo
tells me permission denied. sudo /sbin/service iptables
stop
tells me that iptables is an unrecognized service. I ran ls
/etc/init.d
as a sanity check and was presented with ls: cannot access
/etc/init.d/<service>: Permission denied
for every service in
/etc/init.d before actually printing out the list of files (see the
attached image).

I then removed the staff_u role and tried all of the same commands successfully.

I've actually talked to Mr. Jang a couple times already. I'm just hesitant to
ask him about every problem I encounter. I don't want to become a nuisance.
Especially after the last issue required a very simple fix.
Attached Images
File Type: png no_sudo1.png (49.0 KB, 2 views)
 
Old 03-14-2012, 10:21 PM   #6
elfenlied
Member
 
Registered: Dec 2004
Posts: 83

Rep: Reputation: 8
Is the user you're running your sudo commands either in sudoers or part of the wheel group? It works when I try it, see attached.
Attached Images
File Type: png Capture.PNG (89.2 KB, 2 views)

Last edited by elfenlied; 03-14-2012 at 10:35 PM.
 
Old 03-15-2012, 07:12 AM   #7
theillien
Member
 
Registered: Jan 2004
Posts: 107

Original Poster
Rep: Reputation: 0
In /etc/sudoers with the same perms as root.
Attached Images
File Type: png no_sudo3.png (66.1 KB, 4 views)
 
  


Reply

Tags
permission denied, selinux, user


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Selinux-how do i find out what domains have permissions on what type?(selinux policy) vishyc88 Linux - Security 2 11-22-2010 04:27 AM
SElinux problem palvit Linux - Networking 5 05-03-2008 02:48 PM
SELinux problem gttommy Linux - Security 3 01-16-2006 07:25 PM
SELinux problem stormtracknole Fedora 1 11-12-2005 09:25 AM
SELinux problem... casttellum Linux - Security 1 03-07-2005 11:25 PM


All times are GMT -5. The time now is 08:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration