Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 03-11-2012, 08:31 PM   #1
Registered: Jan 2004
Posts: 112

Rep: Reputation: 1
selinux problem with staff_u

I'm reading chapter 4 in Michael Jang's RHCSA/RHCE study guide. In the final exercise it says to set the user type for a regular user to staff_u. This type indicates that the users it applies to should have sudo and su rights. However, I seem to have encountered a problem with it.

After applying the staff_u type to a regular user, logging in as that user and then running `sudo su -` it is first telling me to enter my password, then the target user's password. Normally, I only need to enter my own as I'm not using the targetpw setting in the sudoers file.

Once it accepts my password and then the target password it takes a while to authenticate. Once it does I'm told I don't have permission to the /root/.bash_profile file so my environment is very useless. When I try to do an ls on the directory I get the same error.

Anyone know what the problem could be?
Old 03-12-2012, 02:16 PM   #2
Senior Member
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
@ Reply

Hi theillien

Is there any specific reason you are running the following command?

sudo su -
The reason it is prompting for your password because you did a sudo and it does not appear that in /etc/sudoers you have used NOPASSWD: switch for the user account from which you are trying to run sudo.

When you are su - ing then there is no need to use sudo. You can directory do that using the following command:

su -

su - root

Last edited by T3RM1NVT0R; 03-12-2012 at 03:17 PM.
Old 03-12-2012, 09:47 PM   #3
Registered: Jan 2004
Posts: 112

Original Poster
Rep: Reputation: 1
sudo su - is force of habit. Running sudo keeps better track of who did what. It's what I do at work and it carries over to my studying.

The NOPASSWD: option does indeed eliminate the need to enter a password. However, when it is not present and I am presented with the password prompt, it is not normal behavior for it to ask for mine, and then ask for root's. It typically only asks for mine. Or, if I have targetpw set in the sudoers file, it only asks for root's. Not both.

Finally, this only became an issue when I applied the staff_u user type to my account. When I have no specific type leaving it at __default__ it works fine. That said, the problem isn't the command I'm running which is perfectly common. The problem appears to be with selinux. On the surface, anyway.
Old 03-12-2012, 11:24 PM   #4
Registered: Dec 2004
Posts: 83

Rep: Reputation: 8
I am reading the same book at the moment. In fact Michael Jang is a member of this forum and frequently responds to questions about said book (

I think you might have misunderstood something in that chapter, from what I got from it was that assigning a user the staff_u context they were able to execute sudo but not su (for reasons as you've mentioned regarding logging I assume). Try it, if you do a "su -" it won't work but if you "sudo <command>" it will.
Old 03-14-2012, 10:10 PM   #5
Registered: Jan 2004
Posts: 112

Original Poster
Rep: Reputation: 1
I looked into it to determine if I was just misreading it. I think I have it
right. According to table 4-8 on page 239, the staff_u role has access to the
sudo command. The user_u role does not have access to the sudo or
su commands (paragraph 4; same page).

I switched my account back to staff_u and logged back in. When I attempted to
run su I was told it couldn't be found. When I attempted to run
sudo with another command, /usr/sbin/visudo first and then
/sbin/service iptables stop second, I was unable to. sudo
tells me permission denied. sudo /sbin/service iptables
tells me that iptables is an unrecognized service. I ran ls
as a sanity check and was presented with ls: cannot access
/etc/init.d/<service>: Permission denied
for every service in
/etc/init.d before actually printing out the list of files (see the
attached image).

I then removed the staff_u role and tried all of the same commands successfully.

I've actually talked to Mr. Jang a couple times already. I'm just hesitant to
ask him about every problem I encounter. I don't want to become a nuisance.
Especially after the last issue required a very simple fix.
Attached Thumbnails
Click image for larger version

Name:	no_sudo1.png
Views:	9
Size:	49.0 KB
ID:	9237  
Old 03-14-2012, 11:21 PM   #6
Registered: Dec 2004
Posts: 83

Rep: Reputation: 8
Is the user you're running your sudo commands either in sudoers or part of the wheel group? It works when I try it, see attached.
Attached Thumbnails
Click image for larger version

Name:	Capture.PNG
Views:	13
Size:	89.2 KB
ID:	9238  

Last edited by elfenlied; 03-14-2012 at 11:35 PM.
Old 03-15-2012, 08:12 AM   #7
Registered: Jan 2004
Posts: 112

Original Poster
Rep: Reputation: 1
In /etc/sudoers with the same perms as root.
Attached Thumbnails
Click image for larger version

Name:	no_sudo3.png
Views:	18
Size:	66.1 KB
ID:	9241  


permission denied, selinux, user

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Selinux-how do i find out what domains have permissions on what type?(selinux policy) vishyc88 Linux - Security 2 11-22-2010 05:27 AM
SElinux problem palvit Linux - Networking 5 05-03-2008 03:48 PM
SELinux problem gttommy Linux - Security 3 01-16-2006 08:25 PM
SELinux problem stormtracknole Fedora 1 11-12-2005 10:25 AM
SELinux problem... casttellum Linux - Security 1 03-08-2005 12:25 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:47 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration