LinuxQuestions.org - SELinux user context staff_u and sudo issues. Also, question related to setting conte

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - SELinux user context staff_u and sudo issues. Also, question related to setting conte (https://www.linuxquestions.org/questions/linux-security-4/selinux-user-context-staff_u-and-sudo-issues-also-question-related-to-setting-conte-4175412134/)

SELinux user context staff_u and sudo issues. Also, question related to setting conte

1. I am having issues with sudo and staff_u user context in SELinux. According to RHEL documentation, staff_u is supposed to provide user with sudo access (but not su access), but this is not working out. Here's what's happening:

[root@deepthought ~]# grep "bob" /etc/sudoers
bob ALL=(ALL) ALL
[bob@deepthought ~]$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
[bob@deepthought ~]$ sudo -s
[sudo] password for bob:
bash: /root/.bashrc: Permission denied
bash-4.1# exit
[bob@deepthought ~]$ /bin/ls /root
/bin/ls: cannot access /root: Permission denied
[bob@deepthought ~]$ sudo /bin/ls /root
/bin/ls: cannot access /root: Permission denied

2. I am wondering what the difference is between the two following commands:

a. semanage login -m -s staff_u __default__
b. semanage login -m -S targeted -s staff_u -r s0 __default__

I have always used the first command, but in doing some reading online I also see the second command used quite frequently.

3. I know I can get a listing of file contexts doing an seinfo -t (for example, seinfo -t | grep public_content), and I also know that I can find what the context for a file should be by doing matchpathcon <file>, but I am wondering, how do I find out what the contexts actually mean? For example, semanage boolean -l will show me all SELinux booleans and what they do, but semanage fcontext -l does not do this. Let's say I am wondering what public_content_rw_t does, how would I find that out?

Am I asking this question in the wrong subforum? I see almost all questions being answered, but this one still has not had any reply.

That's because SELinux is a bit of niche skill.
Unfortunately, now you've answered yourself, that takes it off the zero-reply list, which would normally get it bumped up automatically ...
One option may be to ask the Mods (via the Report button) to move it to the Security forum; you might do better over there.
Do NOT re-post this as a duplicate question; thank you.

Good luck :)

Thank you for the reply! I was beginning to think I posted in the wrong subforum, but didn't want to crosspost. I didn't realize I could report my post, so that's really good to know. I reported the post. Thank you so much for your help!

Moved @ OP's request ...

I am not an selinux expert, so I may be wrong, but it looks to me like your problem is that your user needs to assume the sysadm_r (system admin role). The user staff_u has this capability, but unless they change roles they will not be able to use privileged commands.

See these links for some additional information:
http://selinux-mac.blogspot.com/2009...inux-rbac.html
and
http://www.gentoo.org/proj/en/harden...2&chap=3#users

Quote:

Originally Posted by Noway2 (Post 4706799)

Here's the output from "semanager user -l | grep staff_u"

Quote:

staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r

The odd thing that I don't fully understand here is that staff_r is mapped to the role of unconfined_r, which doesn't make any sense to me at all. Anyway, I installed policycoreutils-newrole and then tried "newrole -r sysadm_r," typed my password, and still sudo doesn't work.