sudo avc denies: was Re: Upgrading to policy-strict RPM's
Kirk Vogelsang
kvogelsa at ccs.neu.edu
Fri Jul 9 14:18:28 UTC 2004
On Wed, 7 Jul 2004, Stephen Smalley wrote:
> On Wed, 2004-07-07 at 15:38, Kirk Vogelsang wrote:
> > I've got slimmed down Fedora Core2 that doesn't seem to want to
> > enable selinux after rpm -U'ing the following packages:
> >
> > policycoreutils-1.14.1-1
> > selinux-policy-strict-1.14.1-2
> > libselinux-1.14.1-1
> >
> > After upgrading to those packages, booting to single user,
> > running fixfiles relabel, and rebooting once more, the system
> > comes up selinux disabled. I've verified /etc/selinux/config
> > SELINUX=permissive and SELINUXTYPE=strict. /etc/sysconfig/selinux
> > sym-links to /etc/selinux/config. Policy resides in
> > /etc/selinux/strict/policy/. Stock FC2 kernel, 2.6.5-1.358smp.
> > I've tried appending selinux in grub as well, to no avail.
> >
> > What minute detail am I missing?
>
> Update to the latest SysVinit package from the development tree. There
> are also other relevant packages, e.g. usermode.
That did it, thanx.
Having a problem w/ sudo now however:
$ rpm -q selinux-policy-strict sudo
selinux-policy-strict-1.14.1-2
sudo-1.6.7p5-27
$ id
uid=600(admin) gid=600(admin) groups=10(wheel),600(admin) context=user_u:user_r:user_t
$ sudo sh
sudo: unable to exec /usr/sbin/sesh: Permission denied
$ dmesg
audit(1089381994.953:0): avc: denied { execute_no_trans } for pid=845 exe=/usr/bin/sudo path=/usr/sbin/sesh dev=sda3 ino=32091 scontext=user_u:user_r:user_sudo_t tcontext=system_u:object_r:shell_exec_t tclass=file
I receive the same results if running in staff_r or sysadm_r as well.
-----
Kirk M. Vogelsang <kvogelsa at ccs.neu.edu>
Northeastern University College of Computer Science
More information about the fedora-selinux-list
mailing list