sudo avc denies: was Re: Upgrading to policy-strict RPM's

Kirk Vogelsang kvogelsa at ccs.neu.edu
Fri Jul 9 14:18:28 UTC 2004


On Wed, 7 Jul 2004, Stephen Smalley wrote:

> On Wed, 2004-07-07 at 15:38, Kirk Vogelsang wrote:
> > I've got slimmed down Fedora Core2 that doesn't seem to want to
> > enable selinux after rpm -U'ing the following packages:
> >
> > policycoreutils-1.14.1-1
> > selinux-policy-strict-1.14.1-2
> > libselinux-1.14.1-1
> >
> > After upgrading to those packages, booting to single user,
> > running fixfiles relabel, and rebooting once more, the system
> > comes up selinux disabled.  I've verified /etc/selinux/config
> > SELINUX=permissive and SELINUXTYPE=strict.  /etc/sysconfig/selinux
> > sym-links to /etc/selinux/config.  Policy resides in
> > /etc/selinux/strict/policy/.  Stock FC2 kernel, 2.6.5-1.358smp.
> > I've tried appending selinux in grub as well, to no avail.
> >
> > What minute detail am I missing?
>
> Update to the latest SysVinit package from the development tree.  There
> are also other relevant packages, e.g. usermode.

That did it, thanx.

Having a problem w/ sudo now however:

$ rpm -q selinux-policy-strict sudo
selinux-policy-strict-1.14.1-2
sudo-1.6.7p5-27
$ id
uid=600(admin) gid=600(admin) groups=10(wheel),600(admin) context=user_u:user_r:user_t
$ sudo sh
sudo: unable to exec /usr/sbin/sesh: Permission denied
$ dmesg
audit(1089381994.953:0): avc:  denied  { execute_no_trans } for  pid=845 exe=/usr/bin/sudo path=/usr/sbin/sesh dev=sda3 ino=32091 scontext=user_u:user_r:user_sudo_t tcontext=system_u:object_r:shell_exec_t tclass=file

I receive the same results if running in staff_r or sysadm_r as well.

-----
Kirk M. Vogelsang <kvogelsa at ccs.neu.edu>
Northeastern University College of Computer Science



More information about the fedora-selinux-list mailing list