Hi Guys,
So for this process am trying to confine, the startup script is using su -c rather than runuser and even though I've got su_exec(mydomain_t) in my te file, it's prompting for a password at startup.
Any thoughts or experience of seeing this before?
Thanks.
Best Regards,
Walid Fakim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161114/42803cab/attachment.html
On 11/14/2016 05:11 PM, Fakim, Walid wrote:
> Hi Guys,
>
> So for this process am trying to confine, the startup script is using su -c rather than runuser and even though I've got su_exec(mydomain_t) in my te file, it's prompting for a password at startup.
>
> Any thoughts or experience of seeing this before?
>
> Thanks.
>
> Best Regards,
>
> Walid Fakim
>
>
Add pam_rootok.so to /etc/pam.d/su maybe?
Also you may need to allow ":passwd rootok;" permission
If it hit that then the event should show up as a "USER_AVC" in
audit.log (ausearch -m USER_AVC -ts today)
In the past there was a problem with PAMs' SELinux awareness and it was
not logging USER_AVC denials. That should now be fixed.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161114/b6331b12/attachment.bin
Thanks Dom - I'll experiment with that.
I can see that pam_rootok.so is already present in /lib64/security
Am using CentOS 6.8 so might be susceptible to that bug you mention.
I'll try adding the permission - Am assuming you mean -> allow mydomain_t self:passwd rootok; <- ?
Thanks.
Best Regards,
Walid Fakim
-----Original Message-----
From: Dominick Grift [mailto:dac.override at gmail.com]
Sent: 14 November 2016 18:16
To: Fakim, Walid; [email protected]
Subject: Re: su_exec
On 11/14/2016 05:11 PM, Fakim, Walid wrote:
> Hi Guys,
>
> So for this process am trying to confine, the startup script is using su -c rather than runuser and even though I've got su_exec(mydomain_t) in my te file, it's prompting for a password at startup.
>
> Any thoughts or experience of seeing this before?
>
> Thanks.
>
> Best Regards,
>
> Walid Fakim
>
>
Add pam_rootok.so to /etc/pam.d/su maybe?
Also you may need to allow ":passwd rootok;" permission
If it hit that then the event should show up as a "USER_AVC" in audit.log (ausearch -m USER_AVC -ts today)
In the past there was a problem with PAMs' SELinux awareness and it was not logging USER_AVC denials. That should now be fixed.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift