121117 – Single-user shell should run as sysadm_r, not system_r

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 121117 - Single-user shell should run as sysadm_r, not system_r

Summary: Single-user shell should run as sysadm_r, not system_r

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-strict
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC2Target FC3Target
TreeView+	depends on / blocked

Reported:	2004-04-17 15:16 UTC by Aleksey Nogin
Modified:	2007-11-30 22:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-10-12 13:53:03 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Aleksey Nogin 2004-04-17 15:16:42 UTC

Because the single-user shell in running as system_r, not as sysadm_r,
 many things (including su, sudo and mail) fail to work (avc messages
below). It seems that running an interactive shell as system_r is
wrong in the first place, and it should be sysadm_r instead.

audit(1082188457.323:0): security_compute_sid:  invalid context
system_u:system_r:sysadm_mail_t for
scontext=system_u:system_r:sysadm_t
tcontext=system_u:object_r:sendmail_exec_t tclass=process
audit(1082188479.788:0): security_compute_sid:  invalid context
system_u:system_r:newrole_t for scontext=system_u:system_r:sysadm_t
tcontext=system_u:object_r:newrole_exec_t tclass=process
audit(1082188495.235:0): security_compute_sid:  invalid context
system_u:system_r:sysadm_sudo_t for
scontext=system_u:system_r:sysadm_t
tcontext=system_u:object_r:sudo_exec_t tclass=process
audit(1082189175.512:0): security_compute_sid:  invalid context
system_u:system_r:sysadm_chkpwd_t for
scontext=system_u:system_r:sysadm_su_t
tcontext=system_u:object_r:chkpwd_exec_t tclass=process

Comment 1 Bill Nottingham 2004-10-11 19:18:07 UTC

This is a policy bug. Is this strict or targeted policy?

Comment 2 Bill Nottingham 2004-10-11 19:21:44 UTC

Also, does it still occur - this *looks* to be fixed in the current
strict policy.

Comment 3 Aleksey Nogin 2004-10-11 19:25:58 UTC

> Is this strict or targeted policy?

This was before the policy was split.

> Also, does it still occur

I am still running FC2, so I do not know.

Comment 4 Daniel Walsh 2004-10-12 13:53:03 UTC

I am marking this as fixed in Rawhide.

Note You need to log in before you can comment on or make changes to this bug.