execute system-config-selinux while enforcing

execute system-config-selinux while enforcing

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 1317 bytes --]

I am running Scientific Linux 6.0, fully updated using the targeted policy.

Is there a method to execute the SELinux admin GUI tool 
system-config-selinux while in enforcing mode of the targeted policy?

My assumption is that root linux user combined with sysadm_r role would 
work. However, after creating a shell with sudo -i -r sysadm_r (from the 
staff_r role), the tool fails to start. I then tried to create a user 
that would login via the GUI login and receive the sysadm_r role by 
default. In this case I was unsuccessful in even getting the sysadm_r 
role to have the sysadm_t upon login. It receives a context of 
sysadm_u:sysadm_r:oddjob_mkhomedir_t. This despite having the following 
/etc/selinux/targeted/contexts/users/sysadm_u file:

system_r:local_login_t:s0    sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0    sysadm_r:sysadm_t:s0
system_r:sshd_t:s0        sysadm_r:sysadm_t:s0
system_r:crond_t:s0        sysadm_r:sysadm_t:s0
system_r:xdm_t:s0        sysadm_r:sysadm_t:s0
sysadm_r:sysadm_su_t:s0        sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0    sysadm_r:sysadm_t:s0
system_r:initrc_su_t:s0        sysadm_r:sysadm_t:s0
sysadm_r:sysadm_t:s0        sysadm_r:sysadm_t:s0
sysadm_r:sysadm_su_t:s0        sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0    sysadm_r:sysadm_t:s0

Thanks,

Andy



[-- Attachment #2: Type: text/html, Size: 2071 bytes --]

Re: execute system-config-selinux while enforcing

[Stephen Smalley]

On Thu, 2012-05-10 at 15:03 +0200, Andy Warner wrote:
> I am running Scientific Linux 6.0, fully updated using the targeted
> policy. 
> 
> Is there a method to execute the SELinux admin GUI tool
> system-config-selinux while in enforcing mode of the targeted policy? 
> 
> My assumption is that root linux user combined with sysadm_r role
> would work. However, after creating a shell with sudo -i -r sysadm_r
> (from the staff_r role), the tool fails to start. I then tried to
> create a user that would login via the GUI login and receive the
> sysadm_r role by default. In this case I was unsuccessful in even
> getting the sysadm_r role to have the sysadm_t upon login. It receives
> a context of sysadm_u:sysadm_r:oddjob_mkhomedir_t. This despite having
> the following /etc/selinux/targeted/contexts/users/sysadm_u file:
> 
> system_r:local_login_t:s0    sysadm_r:sysadm_t:s0
> system_r:remote_login_t:s0    sysadm_r:sysadm_t:s0
> system_r:sshd_t:s0        sysadm_r:sysadm_t:s0
> system_r:crond_t:s0        sysadm_r:sysadm_t:s0
> system_r:xdm_t:s0        sysadm_r:sysadm_t:s0
> sysadm_r:sysadm_su_t:s0        sysadm_r:sysadm_t:s0
> sysadm_r:sysadm_sudo_t:s0    sysadm_r:sysadm_t:s0
> system_r:initrc_su_t:s0        sysadm_r:sysadm_t:s0
> sysadm_r:sysadm_t:s0        sysadm_r:sysadm_t:s0
> sysadm_r:sysadm_su_t:s0        sysadm_r:sysadm_t:s0 
> sysadm_r:sysadm_sudo_t:s0    sysadm_r:sysadm_t:s0

Under targeted policy, wouldn't you run it from an
unconfined_u/unconfined_r login?  Which would be the default for users
who haven't been mapped to a specific role via semanage.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: execute system-config-selinux while enforcing

[Andy Warner]

On 5/10/2012 3:17 PM, Stephen Smalley wrote:
> On Thu, 2012-05-10 at 15:03 +0200, Andy Warner wrote:
>> I am running Scientific Linux 6.0, fully updated using the targeted
>> policy.
>>
>> Is there a method to execute the SELinux admin GUI tool
>> system-config-selinux while in enforcing mode of the targeted policy?
>>
>> My assumption is that root linux user combined with sysadm_r role
>> would work. However, after creating a shell with sudo -i -r sysadm_r
>> (from the staff_r role), the tool fails to start. I then tried to
>> create a user that would login via the GUI login and receive the
>> sysadm_r role by default. In this case I was unsuccessful in even
>> getting the sysadm_r role to have the sysadm_t upon login. It receives
>> a context of sysadm_u:sysadm_r:oddjob_mkhomedir_t. This despite having
>> the following /etc/selinux/targeted/contexts/users/sysadm_u file:
>>
>> system_r:local_login_t:s0    sysadm_r:sysadm_t:s0
>> system_r:remote_login_t:s0    sysadm_r:sysadm_t:s0
>> system_r:sshd_t:s0        sysadm_r:sysadm_t:s0
>> system_r:crond_t:s0        sysadm_r:sysadm_t:s0
>> system_r:xdm_t:s0        sysadm_r:sysadm_t:s0
>> sysadm_r:sysadm_su_t:s0        sysadm_r:sysadm_t:s0
>> sysadm_r:sysadm_sudo_t:s0    sysadm_r:sysadm_t:s0
>> system_r:initrc_su_t:s0        sysadm_r:sysadm_t:s0
>> sysadm_r:sysadm_t:s0        sysadm_r:sysadm_t:s0
>> sysadm_r:sysadm_su_t:s0        sysadm_r:sysadm_t:s0
>> sysadm_r:sysadm_sudo_t:s0    sysadm_r:sysadm_t:s0
> Under targeted policy, wouldn't you run it from an
> unconfined_u/unconfined_r login?  Which would be the default for users
> who haven't been mapped to a specific role via semanage.

Yep., my bad. For some reason it would not work under my personal 
unconfined account so I created a new one and it works fine. So, it's an 
issue specific to my personal account.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.