From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 09 Aug 2012 14:50:19 -0400 Subject: [refpolicy] How to give _admin rights? In-Reply-To: <20120809183851.GA2643@siphos.be> References: <20120809183851.GA2643@siphos.be> Message-ID: <5024066B.9080206@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/09/2012 02:38 PM, Sven Vermeulen wrote: > Hi guys, > > Currently all administration I do is handled through the sysadm_r:sysadm_t > context. As a result, I never needed to explicitly grant an admin interface > (like nscd_admin) to a specific role. > > I'm now trying to allow a role (be it user_r, staff_r or a newly created > role) to (re)start the NSCD init script (which is labeled > nscd_initrc_exec_t) so I thought it would be sufficient to just add in: > nscd_admin(staff_t, staff_r) > > However, a user (SELinux user staff_u) doesn't seem to be able to really > use it properly, unless I also give that user the root password (which I > don't) for the run_init command... > > I've tried: ~$ /etc/init.d/nscd status -bash: /etc/init.d/nscd: > /sbin/runscript: bad interpreter: Permission denied which is because of: > security_compute_sid: invalid context staff_u:system_r:initrc_t for > scontext=staff_u:staff_r:staff_t > tcontext=system_u:object_r:nscd_initrc_exec_t tclass=process > > I've tried: ~$ /usr/sbin/run_init /etc/init.d/nscd status Authenticating > oper. Password: Could not set exec context to system_u:system_r:initrc_t > which is because of: avc: denied { setexec } for pid=18505 comm="run_init" > scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:staff_t > tclass=process > > I've tried: ~$ sudo /usr/sbin/run_init /etc/init.d/nscd status but then, > after authenticating, run_init asks for the root password which I don't > want to grant. > > I've tried: ~$ sudo /etc/init.d/nscd status sudo: unable to execute > /etc/init.d/nscd: Permission denied For this I don't know what is causing > this - only see the standard denials (rlimitinh, noatsecure, ...) and a > getattr on a tty device. > > It it "normal" that I would need to allow setexec for the user domain? > > What is the correct way to, once a role/user is defined, grant him the > _admin interface and have him start/stop the init scripts? > > Wkr, Sven Vermeulen _______________________________________________ > refpolicy mailing list refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > What OS are you seeing this on? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAkBmsACgkQrlYvE4MpobP53gCggEL0SK5vtlCeRHgnAUKpAmKD mpIAoMkmepAq3LYXh7/5lEcEoxSuHiJi =0YHe -----END PGP SIGNATURE-----