RE: bash_profile: Permission denied

RE: bash_profile: Permission denied

[James R. Marcus]

What is the right way to deal with this issue?  When root logs in should
they automatically be in the sysadm_r role or should these files be
labeled with staff_r?


Do I need to change this in /etc/security/selinux/file_contexts ?

This is what I have in file_contexts:
#
# User-specific file contexts
#
/root           -d      root:object_r:sysadm_home_dir_t
/root/.+                        root:object_r:sysadm_home_t
/root/\.ssh(/.*)?               root:object_r:sysadm_home_ssh_t
/root/.default_contexts --      system_u:object_r:default_context_t
/root/.ccache(/.*)?             system_u:object_r:sysadm_ccache_t


Thanks,
James
-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh@redhat.com] 
Sent: Thursday, September 23, 2004 1:31 PM
To: James R. Marcus
Cc: selinux@tycho.nsa.gov
Subject: Re: bash_profile: Permission denied

James R. Marcus wrote:

>When I login in enforced mode I get this error as root:
>-bash: /root/.bash_profile: Permission denied
>ftp root # pwd       
>/root
>ftp root # ls -aZ
>ls: .: Permission denied
>ftp root #
>
>I thought it might be a labeling issue so I ran this command:
>ftp domains # newrole -r sysadm_r
>Authenticating root.
>Password: 
>ftp domains # cd /
>ftp / # setfiles /etc/security/selinux/file_contexts /root/
>setfiles:  read 575 specifications
>setfiles:  labeling files under /root/
>setfiles:  hash table stats: 5 elements, 5/65536 buckets used, longest
>chain length 1
>setfiles:  Done.
>
>I'm not getting any messages in /var/log/messages when I avc_toggle.
>
>
>Am I on the right track?
>
>James
>  
>
The problem is probably that you are logging as staff_r and the 
directory is sysadm_r.
At login do an id -Z to see what context you have,
then do the newrole -r sysadm_r and see if you have access to the
directory.

Dan

>
>
>
>
>--
>This message was distributed to subscribers of the selinux mailing
list.
>If you no longer wish to subscribe, send mail to
majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>  
>




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: bash_profile: Permission denied

[Daniel J Walsh]

James R. Marcus wrote:

>What is the right way to deal with this issue?  When root logs in should
>they automatically be in the sysadm_r role or should these files be
>labeled with staff_r?
>
>  
>
It is working the way it was designed.  In Fedora Core, we changed to  
use staff_* for the home directory, because
we thought it was too confusing for the users.  There is a security risk 
to having the root account owned by staff*
Basically if I can some how modify .bash_profile as a staff user, then 
get the sysadm to login as sysadm_r he will execute
my code as sysadm_r.

Dan

>Do I need to change this in /etc/security/selinux/file_contexts ?
>
>This is what I have in file_contexts:
>#
># User-specific file contexts
>#
>/root           -d      root:object_r:sysadm_home_dir_t
>/root/.+                        root:object_r:sysadm_home_t
>/root/\.ssh(/.*)?               root:object_r:sysadm_home_ssh_t
>/root/.default_contexts --      system_u:object_r:default_context_t
>/root/.ccache(/.*)?             system_u:object_r:sysadm_ccache_t
>
>
>Thanks,
>James
>-----Original Message-----
>From: Daniel J Walsh [mailto:dwalsh@redhat.com] 
>Sent: Thursday, September 23, 2004 1:31 PM
>To: James R. Marcus
>Cc: selinux@tycho.nsa.gov
>Subject: Re: bash_profile: Permission denied
>
>James R. Marcus wrote:
>
>  
>
>>When I login in enforced mode I get this error as root:
>>-bash: /root/.bash_profile: Permission denied
>>ftp root # pwd       
>>/root
>>ftp root # ls -aZ
>>ls: .: Permission denied
>>ftp root #
>>
>>I thought it might be a labeling issue so I ran this command:
>>ftp domains # newrole -r sysadm_r
>>Authenticating root.
>>Password: 
>>ftp domains # cd /
>>ftp / # setfiles /etc/security/selinux/file_contexts /root/
>>setfiles:  read 575 specifications
>>setfiles:  labeling files under /root/
>>setfiles:  hash table stats: 5 elements, 5/65536 buckets used, longest
>>chain length 1
>>setfiles:  Done.
>>
>>I'm not getting any messages in /var/log/messages when I avc_toggle.
>>
>>
>>Am I on the right track?
>>
>>James
>> 
>>
>>    
>>
>The problem is probably that you are logging as staff_r and the 
>directory is sysadm_r.
>At login do an id -Z to see what context you have,
>then do the newrole -r sysadm_r and see if you have access to the
>directory.
>
>Dan
>
>  
>
>>
>>
>>--
>>This message was distributed to subscribers of the selinux mailing
>>    
>>
>list.
>  
>
>>If you no longer wish to subscribe, send mail to
>>    
>>
>majordomo@tycho.nsa.gov with
>  
>
>>the words "unsubscribe selinux" without quotes as the message.
>> 
>>
>>    
>>
>
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: bash_profile: Permission denied

[Russell Coker]

On Fri, 24 Sep 2004 04:21, Daniel J Walsh <dwalsh@redhat.com> wrote:
> James R. Marcus wrote:
> >What is the right way to deal with this issue?  When root logs in should
> >they automatically be in the sysadm_r role or should these files be
> >labeled with staff_r?
>
> It is working the way it was designed.  In Fedora Core, we changed to
> use staff_* for the home directory, because
> we thought it was too confusing for the users.  There is a security risk

We should revert that change.  It causes too many other issues and does no 
good.

Now that the targeted policy is the default most people who don't want to know 
much about SE Linux will stick with targeted and never encounter this.

With the strict policy a user who logs in as root:staff_r:staff_t will 
discover that they can't do most things that they want to do as root and will 
have to run newrole before doing anything else, so there will be no extra 
confusion about lack of write access to /root.

Users who find newrole too confusing just have to run targeted policy, there 
is no other solution for them.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: bash_profile: Permission denied

[Luke Kenneth Casson Leighton]

On Fri, Sep 24, 2004 at 06:22:07AM +1000, Russell Coker wrote:

> On Fri, 24 Sep 2004 04:21, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > James R. Marcus wrote:
> > >What is the right way to deal with this issue?  When root logs in should
> > >they automatically be in the sysadm_r role or should these files be
> > >labeled with staff_r?
> >
> > It is working the way it was designed.  In Fedora Core, we changed to
> > use staff_* for the home directory, because
> > we thought it was too confusing for the users.  There is a security risk
> 
> We should revert that change.  It causes too many other issues and does no 
> good.
> 
> Now that the targeted policy is the default most people who don't want to know 
> much about SE Linux will stick with targeted and never encounter this.
> 
> With the strict policy a user who logs in as root:staff_r:staff_t will 
> discover that they can't do most things that they want to do as root and will 
> have to run newrole before doing anything else, so there will be no extra 
> confusion about lack of write access to /root.
 
 ah, but running newrole is not enough: not having write access to
 /root/.bash_profile results in bash not _reading_ the file either.

 result of that is that you lose all your PATH settings and everything
 else you'd expect to be done from bash_profile.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: bash_profile: Permission denied

[Russell Coker]

On Fri, 24 Sep 2004 09:15, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
>  ah, but running newrole is not enough: not having write access to
>  /root/.bash_profile results in bash not _reading_ the file either.

I wrote the following in my previous message to James R. Marcus on the same 
topic:

If you enable the boolean staff_read_sysadm_file then staff_t can read 
sysadm_home_t files and can search sysadm_home_dir_t directories.  This will 
allow you to login as root:staff_r:staff_t without any warning messages AND 
with the aliases etc from .bashrc defined.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: bash_profile: Permission denied

[Russell Coker]

On Fri, 24 Sep 2004 04:13, "James R. Marcus" <jmarcus@mvalent.net> wrote:
> What is the right way to deal with this issue?  When root logs in should
> they automatically be in the sysadm_r role or should these files be
> labeled with staff_r?

If you enable the boolean staff_read_sysadm_file then staff_t can read 
sysadm_home_t files and can search sysadm_home_dir_t directories.  This will 
allow you to login as root:staff_r:staff_t without any warning messages AND 
with the aliases etc from .bashrc defined.

Also please put your test after the text you quote, and trim any quoted text 
that is not necessary to understanding your message.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: bash_profile: Permission denied

[James R. Marcus]

Sorry I haven't replied to this sooner. I'm fine with .bash_profile
getting a permission denied.  The first issue was that when I was
switching back and forth from permissive to enforced mode, my new login
shell would hang on the permission denied error, and I would never get
to a prompt. Maybe this was an issue with my ssh client? This error
seems to be some extreme case, because without changing anything it
appears I can login as root while in enforced mode.

James

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
On Behalf Of Russell Coker
Sent: Friday, September 24, 2004 4:25 AM
To: Luke Kenneth Casson Leighton
Cc: Daniel J Walsh; James R. Marcus; selinux@tycho.nsa.gov
Subject: Re: bash_profile: Permission denied

On Fri, 24 Sep 2004 09:15, Luke Kenneth Casson Leighton <lkcl@lkcl.net>
wrote:
>  ah, but running newrole is not enough: not having write access to
>  /root/.bash_profile results in bash not _reading_ the file either.

I wrote the following in my previous message to James R. Marcus on the
same 
topic:

If you enable the boolean staff_read_sysadm_file then staff_t can read 
sysadm_home_t files and can search sysadm_home_dir_t directories.  This
will 
allow you to login as root:staff_r:staff_t without any warning messages
AND 
with the aliases etc from .bashrc defined.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

bash_profile: Permission denied

[James R. Marcus]

When I login in enforced mode I get this error as root:
-bash: /root/.bash_profile: Permission denied
ftp root # pwd       
/root
ftp root # ls -aZ
ls: .: Permission denied
ftp root #

I thought it might be a labeling issue so I ran this command:
ftp domains # newrole -r sysadm_r
Authenticating root.
Password: 
ftp domains # cd /
ftp / # setfiles /etc/security/selinux/file_contexts /root/
setfiles:  read 575 specifications
setfiles:  labeling files under /root/
setfiles:  hash table stats: 5 elements, 5/65536 buckets used, longest
chain length 1
setfiles:  Done.

I'm not getting any messages in /var/log/messages when I avc_toggle.


Am I on the right track?

James





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: bash_profile: Permission denied

[Daniel J Walsh]

James R. Marcus wrote:

>When I login in enforced mode I get this error as root:
>-bash: /root/.bash_profile: Permission denied
>ftp root # pwd       
>/root
>ftp root # ls -aZ
>ls: .: Permission denied
>ftp root #
>
>I thought it might be a labeling issue so I ran this command:
>ftp domains # newrole -r sysadm_r
>Authenticating root.
>Password: 
>ftp domains # cd /
>ftp / # setfiles /etc/security/selinux/file_contexts /root/
>setfiles:  read 575 specifications
>setfiles:  labeling files under /root/
>setfiles:  hash table stats: 5 elements, 5/65536 buckets used, longest
>chain length 1
>setfiles:  Done.
>
>I'm not getting any messages in /var/log/messages when I avc_toggle.
>
>
>Am I on the right track?
>
>James
>  
>
The problem is probably that you are logging as staff_r and the 
directory is sysadm_r.
At login do an id -Z to see what context you have,
then do the newrole -r sysadm_r and see if you have access to the directory.

Dan

>
>
>
>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: bash_profile: Permission denied

[Erich Schubert]

Hi,

> The problem is probably that you are logging as staff_r and the 
> directory is sysadm_r.

What is the preferred way for having login being done as staff_r, but
still having some profile files for root/staff_r?
(staff_r doesn't necessarily need to write them, but i'd like him to be
able to read them. So i can at least have a macro for "newrole -r
sysadm_r" or a bash history entry...)

Greetings,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
          There are only 10 types of people in the world:           //\
          Those who understand binary and those who don't           V_/_
          Liebe ist eine schwere Geisteskrankheit (Platon)


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: bash_profile: Permission denied

[Greg Norris]

[-- Attachment #1: Type: text/plain, Size: 538 bytes --]

On Sat, Oct 02, 2004 at 12:37:40AM +0200, Erich Schubert wrote:
> What is the preferred way for having login being done as staff_r, but
> still having some profile files for root/staff_r?
> (staff_r doesn't necessarily need to write them, but i'd like him to be
> able to read them. So i can at least have a macro for "newrole -r
> sysadm_r" or a bash history entry...)

Have you looked at the "staff_read_sysadm_file" entry in 
tunables/tunable.te?  I think that does what you want (assuming I'm 
understanding you correctly).

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: bash_profile: Permission denied

[Russell Coker]

On Sat, 2 Oct 2004 08:37, Erich Schubert <erich@debian.org> wrote:
> > The problem is probably that you are logging as staff_r and the
> > directory is sysadm_r.
>
> What is the preferred way for having login being done as staff_r, but
> still having some profile files for root/staff_r?
> (staff_r doesn't necessarily need to write them, but i'd like him to be
> able to read them. So i can at least have a macro for "newrole -r
> sysadm_r" or a bash history entry...)

You can use the boolean staff_read_sysadm_file to enable staff_t (and other 
semi-privileged domains) to have getattr and search access to 
sysadm_home_dir_t:dir and have getattr and read access to sysadm_home_t:file.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: bash_profile: Permission denied

[Richard Simpson]

> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]On
> Behalf Of Erich Schubert
> Sent: Friday, October 01, 2004 4:38 PM
> To: Daniel J Walsh
> Cc: James R. Marcus; selinux@tycho.nsa.gov
> Subject: Re: bash_profile: Permission denied
>
>
> Hi,
>
> > The problem is probably that you are logging as staff_r and the
> > directory is sysadm_r.
>
> What is the preferred way for having login being done as staff_r, but
> still having some profile files for root/staff_r?
> (staff_r doesn't necessarily need to write them, but i'd like him to be
> able to read them. So i can at least have a macro for "newrole -r
> sysadm_r" or a bash history entry...)
>
You can give staff_r enhanced privileges, including reading root files, by
setting appropriate tunables in tunable.te. You can see what the tunables do
in staff.te.

Richard.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: bash_profile: Permission denied

[Erich Schubert]

Hi,

> You can give staff_r enhanced privileges, including reading root files, by
> setting appropriate tunables in tunable.te. You can see what the tunables do
> in staff.te.

Thanks to all who replied.
I had thought that maybe there is a solution for only allowing staff_r
read access to certain files such as the shell profile files. But i'm
happy with the current solution.

Greetings,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
          There are only 10 types of people in the world:           //\
          Those who understand binary and those who don't           V_/_
              Denken ist oft schwerer, als man denkt.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.