From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RUWrI-0002kL-PL for garchives@archives.gentoo.org; Sun, 27 Nov 2011 05:00:57 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DF61321C1F7; Sun, 27 Nov 2011 05:00:40 +0000 (UTC) Received: from sblan.net (siren.sblan.net [67.41.4.245]) by pigeon.gentoo.org (Postfix) with ESMTP id 20D1221C1EA for ; Sun, 27 Nov 2011 05:00:12 +0000 (UTC) Received: from [IPv6:2001:470:d:476::1] (siren.sblan.net [IPv6:2001:470:d:476::1]) (authenticated bits=0) by sblan.net (8.14.5/8.14.5) with ESMTP id pAR50ASK010559 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sat, 26 Nov 2011 22:00:11 -0700 Message-ID: <4ED1C3D1.3060600@sblan.net> Date: Sat, 26 Nov 2011 22:00:01 -0700 From: Stan Sander User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111123 Thunderbird/8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened Subject: [gentoo-hardened] Re: Help with su (RESOLVED) References: <4ED05DE4.4050202@sblan.net> In-Reply-To: <4ED05DE4.4050202@sblan.net> X-Enigmail-Version: 1.3.3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig249E4B00418783AC3EC163F9" X-Spam-Score: -1 () ALL_TRUSTED,SHORTCIRCUIT X-Scanned-By: MIMEDefang 2.72 on IPv6:2001:470:d:476::1 X-Archives-Salt: 3fe4deb7-d615-440a-b9ee-47293974f174 X-Archives-Hash: 0149abd5bf823ceeae7972e630fa90b0 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig249E4B00418783AC3EC163F9 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 11/25/2011 08:32 PM, Stan Sander wrote: > One of the more important things that is currently broken on my system > when I switch on enforcing mode for SELinux is the su command. Mostly > likely I've overlooked something so am asking here first before filing = a > bug on it. =20 After doing some more searching, reading, and educating of myself I have been able to achieve the behavior I was wanting from the su command, namely change my regular Linux uid to 0 and be able to launch graphical programs if necessary when logged in to a desktop session. What I discovered leaves my SELinux user id set to the user I originally logged in as, which from a security and accountability standpoint is not a bad thing, but the role and type are updated so all the transitions needed for the policy to function as intended can occur. However, my Linux uid is 0 so things that need that work. Probably a simple concept for all you seasoned SELinux folk, but wanted to document it here for the benefit of others who may find this in the archives.=20 My answer -- removing the calls to pam_selinux.so from the su file in pam.d and also removing the calls to pam_xauth.so from the su and newrole files. These (xauth) generated avc denials when they couldn't access root's home area at /root due to (I think) ubac constraints. =20 The last step a very simple script I called sesu #!/bin/bash echo -n "X server: " xhost local:localhost echo -n "Enter root " su -c "echo -n \"Enter current user \" && newrole -r sysadm_r" If your PAM config doesn't allow the current user to su, then they get permission denied. If SELinux doesn't allow the current user to transition to a sysadm_r then you get a root shell, but with limited capability.=20 --=20 Stan & HD Tashi Grad 10/08 Edgewood, NM SWR PR - Cindy and Jenny - Sammamish, WA NWR http://www.cci.org --------------enig249E4B00418783AC3EC163F9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Rw9oACgkQpStiiGsODQqz7ACcDgWsay8r+daQ1emibiGenJoC olEAmgJBlTtQL/LyoutNYmCyMQ4nPufl =qbjM -----END PGP SIGNATURE----- --------------enig249E4B00418783AC3EC163F9--