F9: su and sudo don't work as user
Stephen Smalley
sds at tycho.nsa.gov
Fri Jun 13 12:26:30 UTC 2008
On Thu, 2008-06-12 at 20:34 -0400, Chuck Anderson wrote:
> Ok, I thought this was a known issue but I can't seem to find it
> mentioned anywhere. I have a F9 system that "su" and "sudo" don't
> work on. I noticed that my context was user_u rather than
> unconfined_u:
They shouldn't work from user_u, as that user identity/role isn't
supposed to be able to use them (unprivileged user).
>
> Login on the console as cra:
>
> [cra at system 20:25:34 /home/cra]>id
> uid=10002(cra) gid=10002(cra) groups=1000(netops),2011(mirror),10002(cra) context=user_u:user_r:user_t:s0
> [cra at system 20:25:36 /home/cra]>su
> /bin/su: Permission denied.
> [cra at system 20:25:37 /home/cra]>sudo
> sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
>
> So I tried to go in as root and fix the context like this:
>
> Login on the console as root:
>
> [root at system ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 22
> Policy from config file: targeted
>
> [root at system ~]# setenforce 0
> [root at system ~]# semanage login -l
>
> Login Name SELinux User MLS/MCS Range
>
> __default__ unconfined_u s0
> root root s0-s0:c0.c1023
> system_u system_u s0-s0:c0.c1023
semanage user -l shows what?
>
> [root at system ~]# semanage login -m -s unconfined_u root
> libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory).
> libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> /usr/sbin/semanage: Could not modify login mapping for root
>
> [root at system ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: enforcing
> Policy version: 22
> Policy from config file: targeted
>
> [root at system ~]# setenforce 1
> [root at system ~]# exit
>
> But it didn't work as you can see. I'm running these versions:
>
> kernel-2.6.25.4-30.fc9.x86_64
> selinux-policy-targeted-3.3.1-64.fc9.noarch
>
> Can someone please help?
>
> Thanks.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list