From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RUihl-0005d7-FR for garchives@archives.gentoo.org; Sun, 27 Nov 2011 17:39:53 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D738A21C038; Sun, 27 Nov 2011 17:39:28 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 2416B21C020 for ; Sun, 27 Nov 2011 17:38:51 +0000 (UTC) Received: by smtp.gentoo.org (Postfix, from userid 617) id B264B1B4008; Sun, 27 Nov 2011 17:38:50 +0000 (UTC) Date: Sun, 27 Nov 2011 17:38:50 +0000 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Re: Help with su (RESOLVED) Message-ID: <20111127173850.GB18017@gentoo.org> Mail-Followup-To: gentoo-hardened@lists.gentoo.org References: <4ED05DE4.4050202@sblan.net> <4ED1C3D1.3060600@sblan.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <4ED1C3D1.3060600@sblan.net> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: e983a132-5902-4370-abd2-329930b2085a X-Archives-Hash: b83e96975a102293cb343c488a675d0e On Sat, Nov 26, 2011 at 10:00:01PM -0700, Stan Sander wrote: > After doing some more searching, reading, and educating of myself I have > been able to achieve the behavior I was wanting from the su command, > namely change my regular Linux uid to 0 and be able to launch graphical > programs if necessary when logged in to a desktop session. What I > discovered leaves my SELinux user id set to the user I originally logged > in as, which from a security and accountability standpoint is not a bad > thing, but the role and type are updated so all the transitions needed > for the policy to function as intended can occur. However, my Linux uid > is 0 so things that need that work. Probably a simple concept for all > you seasoned SELinux folk, but wanted to document it here for the > benefit of others who may find this in the archives. > > My answer -- removing the calls to pam_selinux.so from the su file in > pam.d and also removing the calls to pam_xauth.so from the su and > newrole files. These (xauth) generated avc denials when they couldn't > access root's home area at /root due to (I think) ubac constraints. > The last step a very simple script I called sesu > > #!/bin/bash > echo -n "X server: " > xhost local:localhost > echo -n "Enter root " > su -c "echo -n \"Enter current user \" && newrole -r sysadm_r" > > If your PAM config doesn't allow the current user to su, then they get > permission denied. > If SELinux doesn't allow the current user to transition to a sysadm_r > then you get a root shell, but with limited capability. Hi Stan, This isn't really the way it is meant to resolve. From your denials, I gather that you were still running in staff_r role. You need to transition to sysadm_r role first and then try to perform your administrative tasks. Wkr, Sven Vermeulen