On Tuesday 20 March 2007 6:27:20 pm Loulwa Salem wrote: > I am seeing a strange behavior on my system. I am running with the latest > and greatest kernel (.69) and packages freshly installed today from Steve's > repo on a ppc system in Enforcing mode ofcourse. > Note: The ssh_sysadm_login and allow_netlabel booleans are both on. > > Steps to reproduce the problem: > - ssh into system with your admin user as sysadm role > ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost > - switch to root > /bin/su - > - execute any netlabel command > netlabelctl cipsov4 add pass doi:1 tags:1 > > I am able to log in fine, and I expect the netlabel command to pass however > I get a permission denied.
I'm haven't verified this (I'm at home and don't have an LSPP machine handy) but it was originally the case where you had to be in the secadm_r role to be able to use netlabelctl. Unless Dan/Chris added the netlabel_mgmt_t domain to the sysadm_r role I don't expect you'll be able to run netlabelctl. > ---- netlabel related records (the only 2 records I see when I get perm > denied) type=SELINUX_ERR msg=audit(1174412941.179:771): > security_compute_sid: invalid context > ealuser_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 for > scontext=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=process > type=SYSCALL msg=audit(1174412941.179:771): arch=14 syscall=11 success=no > exit=-13 a0=10121d98 a1=1011edd0 a2=1011ee58 a3=0 items=0 ppid=3090 > pid=3123 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=pts2 comm="bash" exe="/bin/bash" > subj=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) Like Linda I'm also a little curious as to the invalid context message, something is not right ... why is a non system user, i.e. not system_u, running with the system_r role? > I think this is a bug, if everyone agrees I'll open a bugzilla for it I'm not sure this is a bug, unless of course we want sysadm_r to be able to configure NetLabel. Please try running netlabelctl as secadm_r and report the results. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
