F9: su and sudo don't work as user

Stephen Smalley sds at tycho.nsa.gov
Fri Jun 13 14:21:39 UTC 2008 

On Fri, 2008-06-13 at 10:09 -0400, Chuck Anderson wrote:
> On Fri, Jun 13, 2008 at 08:26:30AM -0400, Stephen Smalley wrote:
> > They shouldn't work from user_u, as that user identity/role isn't
> > supposed to be able to use them (unprivileged user).
> 
> Right, I was trying to fix that, and apparently failed.
> 
> > > [root at system ~]# semanage login -l
> > > 
> > > Login Name                SELinux User              MLS/MCS Range            
> > > 
> > > __default__               unconfined_u              s0                       
> > > root                      root                      s0-s0:c0.c1023           
> > > system_u                  system_u                  s0-s0:c0.c1023           
> > 
> > semanage user -l shows what?
> 
> I  didn't know there was a "user" in addition to "login":
> 
> # semanage user -l
> 
>                 Labeling   MLS/       MLS/
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> 
> root            unconfined s0         s0-s0:c0.c1023                 system_r staff_r unconfined_r sysadm_r
> staff_u         staff      s0         s0-s0:c0.c1023                 system_r staff_r sysadm_r
> sysadm_u        sysadm     s0         s0-s0:c0.c1023                 sysadm_r
> system_u        user       s0         s0-s0:c0.c1023                 system_r
> user_u          user       s0         s0                             user_r
> 
> Now it seems obvious--I'm missing the unconfined_u user.
> 
> Comparing this to a working F9 system:
> 
>                 Labeling   MLS/       MLS/
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> 
> guest_u         guest      s0         s0                             guest_r
> root            user       s0         s0-s0:c0.c1023                 system_r staff_r unconfined_r sysadm_r
> staff_u         user       s0         s0-s0:c0.c1023                 system_r staff_r sysadm_r
> sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
> system_u        user       s0         s0-s0:c0.c1023                 system_r
> unconfined_u    unconfined s0         s0-s0:c0.c1023                 system_r unconfined_r
> user_u          user       s0         s0                             user_r
> xguest_u        xguest     s0         s0                             xguest_r
> 
> How do I fix this?

Looks like the same problem reported by Kayvan (Weird SELinux problem
after upgrade to F9).

semanage user -a -P user -R "unconfined_r system_r" -rs0-s0:c0.c1023 unconfined_u

semanage user acts on SELinux users, i.e. users defined in the kernel
policy, which these days are used as "authorized role sets" rather than
individual users.  semanage login acts on Linux users, who are then
mapped to SELinux users in policy.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list