Bugzilla – Bug 1220046
sudo: SELinux confined users are unable to transition to sysadm_r/t
Last modified: 2024-06-18 11:36:59 UTC
# useradd user_staff # semanage login --add -s staff_u -r s0 user_staff # semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ user_u s0 * admin unconfined_u s0 * root unconfined_u s0-s0:c0.c1023 * user_staff staff_u s0 * Add the user to sudoers: user_staff ALL=(ALL:ALL) TYPE=sysadm_t ROLE=sysadm_r ALL Login: # ssh user_staff@172.24.20.49 (user_staff@172.24.20.49) Password: Last login: Mon Feb 19 15:37:15 AEST 2024 from 172.24.12.42 on ssh Have a lot of fun... user_staff@h-172-24-20-49:~> id uid=1002(user_staff) gid=1002(user_staff) groups=1002(user_staff) context=staff_u:staff_r:staff_t:s0 user_staff@h-172-24-20-49:~> sudo -s [sudo] password for user_staff: sudo: unable to execute /bin/bash: No such file or directory h-172-24-20-49:/home/admin # ausearch -ts recent | grep den type=AVC msg=audit(1708321129.668:288): avc: denied { search } for pid=2026 comm="sudo" name="logins" dev="dm-1" ino=51368770 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:selinux_login_config_t:s0 tclass=dir permissive=0 Seems to be a policy issue with staff_sudo_t transitioning via sudo to sysadm_r.
My guess is the related policy in ./policy/modules/admin/sudo.if has a problem
semodule -DB type=AVC msg=audit(1708322514.806:128): avc: denied { noatsecure } for pid=1799 comm="bash" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=process permissive=1 type=AVC msg=audit(1708322514.809:129): avc: denied { rlimitinh } for pid=1799 comm="sudo" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=process permissive=1 type=AVC msg=audit(1708322514.809:130): avc: denied { siginh } for pid=1799 comm="sudo" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=process permissive=1 type=AVC msg=audit(1708322514.829:131): avc: denied { noatsecure } for pid=1800 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:staff_r:chkpwd_t:s0 tclass=process permissive=1 type=AVC msg=audit(1708322514.829:132): avc: denied { read write } for pid=1800 comm="unix_chkpwd" path="/dev/pts/2" dev="devpts" ino=5 scontext=staff_u:staff_r:chkpwd_t:s0 tcontext=staff_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1708322514.829:133): avc: denied { rlimitinh } for pid=1800 comm="unix_chkpwd" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:staff_r:chkpwd_t:s0 tclass=process permissive=1 type=AVC msg=audit(1708322514.829:134): avc: denied { siginh } for pid=1800 comm="unix_chkpwd" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:staff_r:chkpwd_t:s0 tclass=process permissive=1 type=AVC msg=audit(1708322514.839:138): avc: denied { read } for pid=1799 comm="sudo" name="shadow" dev="dm-1" ino=257369 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 type=AVC msg=audit(1708322514.839:139): avc: denied { open } for pid=1799 comm="sudo" path="/etc/shadow" dev="dm-1" ino=257369 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 type=AVC msg=audit(1708322514.839:140): avc: denied { getattr } for pid=1799 comm="sudo" path="/etc/shadow" dev="dm-1" ino=257369 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 type=AVC msg=audit(1708322514.839:141): avc: denied { net_admin } for pid=1799 comm="sudo" capability=12 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1708322514.846:142): avc: denied { search } for pid=1799 comm="sudo" name="logins" dev="dm-1" ino=51368770 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:selinux_login_config_t:s0 tclass=dir permissive=1
Seems to be unrelated to symlinks for /bin to /usr/bin, tried after chsh -s /usr/bin/bash and still fails.
Curiously even in permissive mode sudo -i/-s still fails?
Okay, I've narrowed it down to an issue in sudo. It appears if you have: user_staff ALL=(ALL:ALL) ALL It works user_staff ALL=(ALL:ALL) TYPE=unconfined_t ROLE=unconfined_r ALL Fails. Is there something missing in sudo or something?
@William you could try to add this line to /usr/etc/sudo.conf: Path sesh /usr/libexec/sudo/sesh Let me know if the problem then still persists for you (it worked for me)
(In reply to Cathy Hu from comment #9) > @William > > you could try to add this line to /usr/etc/sudo.conf: > Path sesh /usr/libexec/sudo/sesh > > > Let me know if the problem then still persists for you (it worked for me) And like magic, it works user_staff@localhost:~> id uid=1002(user_staff) gid=1002(user_staff) groups=1002(user_staff) context=staff_u:staff_r:staff_t:s0 user_staff@localhost:~> sudo -s [sudo] password for user_staff: localhost:/home/user_staff # id uid=0(root) gid=0(root) groups=0(root) context=staff_u:sysadm_r:sysadm_t:s0 localhost:/home/user_staff # So I think we need to update that default :)