F9: su and sudo don't work as user

Stephen Smalley sds at tycho.nsa.gov
Fri Jun 13 12:26:30 UTC 2008 

On Thu, 2008-06-12 at 20:34 -0400, Chuck Anderson wrote:
> Ok, I thought this was a known issue but I can't seem to find it 
> mentioned anywhere.  I have a F9 system that "su" and "sudo" don't 
> work on.  I noticed that my context was user_u rather than 
> unconfined_u:

They shouldn't work from user_u, as that user identity/role isn't
supposed to be able to use them (unprivileged user).

> 
> Login on the console as cra:
> 
> [cra at system 20:25:34 /home/cra]>id
> uid=10002(cra) gid=10002(cra) groups=1000(netops),2011(mirror),10002(cra) context=user_u:user_r:user_t:s0
> [cra at system 20:25:36 /home/cra]>su
> /bin/su: Permission denied.
> [cra at system 20:25:37 /home/cra]>sudo
> sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
> 
> So I tried to go in as root and fix the context like this:
> 
> Login on the console as root:
> 
> [root at system ~]# sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 22
> Policy from config file:        targeted
> 
> [root at system ~]# setenforce 0
> [root at system ~]# semanage login -l
> 
> Login Name                SELinux User              MLS/MCS Range            
> 
> __default__               unconfined_u              s0                       
> root                      root                      s0-s0:c0.c1023           
> system_u                  system_u                  s0-s0:c0.c1023           

semanage user -l shows what?

> 
> [root at system ~]# semanage login -m -s unconfined_u root
> libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory).
> libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> /usr/sbin/semanage: Could not modify login mapping for root
> 
> [root at system ~]# sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          enforcing
> Policy version:                 22
> Policy from config file:        targeted
> 
> [root at system ~]# setenforce 1
> [root at system ~]# exit
> 
> But it didn't work as you can see.  I'm running these versions:
> 
> kernel-2.6.25.4-30.fc9.x86_64
> selinux-policy-targeted-3.3.1-64.fc9.noarch
> 
> Can someone please help?
> 
> Thanks.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list