Linux – /bin/su permission denied after SELinux is enabled – not resolved by manual creation of SELinux policies

For some reason, I can't su to root with from a non-root user:

[rilindo@kerberos ~]$ /bin/su -
-bash: /bin/su: Permission denied

Running output from /var/log/audit/audit.log either returns this:

[root@kerberos tmp]# cat /tmp/audit
type=AVC msg=audit(1319322088.937:68012): avc:  denied  { execute } for  pid=9794 comm="bash" name="su" dev=dm-0 ino=1048659 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1319322088.937:68012): arch=c000003e syscall=59 success=no exit=-13 a0=26a7df0 a1=26c9b30 a2=269efa0 a3=18 items=0 ppid=8435 pid=9794 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=4454 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1319322088.944:68013): avc:  denied  { getattr } for  pid=9794 comm="bash" path="/bin/su" dev=dm-0 ino=1048659 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1319322088.944:68013): arch=c000003e syscall=4 success=no exit=-13 a0=26a7df0 a1=7fff26b200d0 a2=7fff26b200d0 a3=18 items=0 ppid=8435 pid=9794 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=4454 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1319322088.944:68014): avc:  denied  { getattr } for  pid=9794 comm="bash" path="/bin/su" dev=dm-0 ino=1048659 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1319322088.944:68014): arch=c000003e syscall=4 success=no exit=-13 a0=26a7df0 a1=7fff26b200b0 a2=7fff26b200b0 a3=18 items=0 ppid=8435 pid=9794 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=4454 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)

Which leads to this solution from audit2allow:

[root@kerberos tmp]# cat /tmp/audit | audit2allow

#============= user_t ==============
#!!!! This avc is allowed in the current policy

allow user_t su_exec_t:file { execute getattr };
[root@kerberos tmp]#

Or this output:

type=AVC msg=audit(1319334064.195:39047): avc:  denied  { read open } for  pid=6067 comm="bash" name="su" dev=dm-0 ino=1048587 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1319334064.195:39047): arch=c000003e syscall=59 success=no exit=-13 a0=eecbd0 a1=eecbf0 a2=ec7720 a3=18 items=0 ppid=2857 pid=6067 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts8 ses=2 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1319334064.200:39048): avc:  denied  { read } for  pid=6067 comm="bash" name="su" dev=dm-0 ino=1048587 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1319334064.200:39048): arch=c000003e syscall=21 success=no exit=-13 a0=eecbd0 a1=4 a2=0 a3=18 items=0 ppid=2857 pid=6067 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts8 ses=2 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1319334064.200:39049): avc:  denied  { read } for  pid=6067 comm="bash" name="su" dev=dm-0 ino=1048587 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1319334064.200:39049): arch=c000003e syscall=2 success=no exit=-13 a0=eecbd0 a1=0 a2=43 a3=18 items=0 ppid=2857 pid=6067 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts8 ses=2 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1319334064.208:39050): avc:  denied  { rlimitinh } for  pid=6069 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1319334064.208:39050): avc:  denied  { siginh } for  pid=6069 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1319334064.208:39050): avc:  denied  { noatsecure } for  pid=6069 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1319334064.208:39050): arch=c000003e syscall=59 success=yes exit=0 a0=944aa0 a1=9447e0 a2=943010 a3=1 items=0 ppid=6068 pid=6069 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1319334064.369:39051): avc:  denied  { write } for  pid=6069 comm="setroubleshootd" name="rpm" dev=dm-0 ino=655363 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1319334064.369:39051): arch=c000003e syscall=21 success=no exit=-13 a0=1405430 a1=2 a2=0 a3=9 items=0 ppid=6068 pid=6069 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1319334064.370:39052): avc:  denied  { write } for  pid=6069 comm="setroubleshootd" name="rpm" dev=dm-0 ino=655363 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1319334064.370:39052): arch=c000003e syscall=21 success=no exit=-13 a0=1405430 a1=2 a2=0 a3=5 items=0 ppid=6068 pid=6069 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)

At which, audit2allow suggests the following:

#============= setroubleshootd_t ==============
#!!!! The source type 'setroubleshootd_t' can write to a 'dir' of the following types:
# var_log_t, setroubleshoot_var_lib_t, setroubleshoot_var_run_t, setroubleshoot_var_log_t, var_lib_t, var_run_t, root_t

allow setroubleshootd_t rpm_var_lib_t:dir write;

#============= system_dbusd_t ==============
allow system_dbusd_t setroubleshootd_t:process { siginh rlimitinh noatsecure };

#============= user_t ==============
allow user_t su_exec_t:file { read open };

Curiously enough, it switch between the two messages whenever I tried to load new policy, as follows:

[root@kerberos tmp]# cat /tmp/audit2 | audit2allow -M local
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp

Attempting to use the upgrade option returns the following:

[root@kerberos tmp]# semodule -u local.pp 
libsemanage.get_direct_upgrade_filename: Previous module local is same or newer. (No such file or directory).
semodule:  Failed on local.pp!

Of note is the following:

The system originally didn't have selinux enabled. The problem started after I enabled selinux:
originally, it was a problem using "sudo su -", which during the troubleshooting, lead to this issue.
New hosts that I built after this had selinux enabled by default – and they didn't have this problem, which mean something didn't get enabled right when I revert SELinux to "enforcing" for the original server.

Here are the permissions and facl for the su command:

[root@kerberos tmp]# getfacl /bin/su 
getfacl: Removing leading '/' from absolute path names
# file: bin/su
# owner: root
# group: root
# flags: s--
user::rwx
group::r-x
other::r-x

[root@kerberos tmp]# ls -laZ /bin/su 
-rwsr-xr-x. root root system_u:object_r:su_exec_t:s0   /bin/su
[root@kerberos tmp]#

curiously enough, at some point, I had to execute su with the exact path, even though it is in my path. Also curiously, if I login as root, then su as the regular user, I can then use the su command:
```
[root@kerberos tmp]# su - rilindo
[rilindo@kerberos ~]$ su - 
Password: 
[root@kerberos ~]# 
```

Some direction is appreciated.

Best Answer

Your problem is your running in the user_t domain as root.

user_t does not have access to su.

Change your user to the staff_u user, that should make it go away.

semanage login -a -s staff_u -r s0 rilindo

Also, note su, on its own wont help you in this regard since you'll su into the staff_t type which wont do everything you want.

To fix this, edit sudoers and add your user to it such as this:

rilindo  ALL=(ALL)       ROLE=sysadm_r   TYPE=sysadm_t  ALL

Now, you can do sudo su - and wont get an issue!

Best Answer

Related Solutions

Redhat Apache fast-cgi selinux permissions

Centos 6.3 PERL CGI selinux file read access

Related Topic