SELinux user context staff_u and sudo issues. Also, question related to setting conte
1. I am having issues with sudo and staff_u user context in SELinux. According to RHEL documentation, staff_u is supposed to provide user with sudo access (but not su access), but this is not working out. Here's what's happening:
[root@deepthought ~]# grep "bob" /etc/sudoers bob ALL=(ALL) ALL [bob@deepthought ~]$ id -Z staff_u:staff_r:staff_t:s0-s0:c0.c1023 [bob@deepthought ~]$ sudo -s [sudo] password for bob: bash: /root/.bashrc: Permission denied bash-4.1# exit [bob@deepthought ~]$ /bin/ls /root /bin/ls: cannot access /root: Permission denied [bob@deepthought ~]$ sudo /bin/ls /root /bin/ls: cannot access /root: Permission denied 2. I am wondering what the difference is between the two following commands: a. semanage login -m -s staff_u __default__ b. semanage login -m -S targeted -s staff_u -r s0 __default__ I have always used the first command, but in doing some reading online I also see the second command used quite frequently. 3. I know I can get a listing of file contexts doing an seinfo -t (for example, seinfo -t | grep public_content), and I also know that I can find what the context for a file should be by doing matchpathcon <file>, but I am wondering, how do I find out what the contexts actually mean? For example, semanage boolean -l will show me all SELinux booleans and what they do, but semanage fcontext -l does not do this. Let's say I am wondering what public_content_rw_t does, how would I find that out? |
Am I asking this question in the wrong subforum? I see almost all questions being answered, but this one still has not had any reply.
|
That's because SELinux is a bit of niche skill.
Unfortunately, now you've answered yourself, that takes it off the zero-reply list, which would normally get it bumped up automatically ... One option may be to ask the Mods (via the Report button) to move it to the Security forum; you might do better over there. Do NOT re-post this as a duplicate question; thank you. Good luck :) |
Thank you for the reply! I was beginning to think I posted in the wrong subforum, but didn't want to crosspost. I didn't realize I could report my post, so that's really good to know. I reported the post. Thank you so much for your help!
|
Moved @ OP's request ...
|
I am not an selinux expert, so I may be wrong, but it looks to me like your problem is that your user needs to assume the sysadm_r (system admin role). The user staff_u has this capability, but unless they change roles they will not be able to use privileged commands.
See these links for some additional information: http://selinux-mac.blogspot.com/2009...inux-rbac.html and http://www.gentoo.org/proj/en/harden...2&chap=3#users |
Quote:
Quote:
|
All times are GMT -5. The time now is 11:02 AM. |