From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 15 Aug 2013 14:19:52 +0200 Subject: [refpolicy] [PATCH 1/1] Allow su to get selinux mount info Message-ID: <20130815121952.GA18165@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com While trying to authenticate using "su", the authentication fails with the following error: ~$ su - su: Authentication service cannot retrieve authentication info In the audit log, we notice the following denial (after disabling dontaudits): type=AVC msg=audit(1376567915.011:8005): avc: denied { getattr } for pid=10640 comm="su" name="/" dev="selinuxfs" ino=1 scontext=staff_u:staff_r:staff_su_t tcontext=system_u:object_r:security_t tclass=filesystem Allowing selinux_get_fs_mount() against $1_su_t is enough for su to succeed again. This is probably specific to Gentoo so using an ifdef(`distro_gentoo',`...') block. Signed-off-by: Sven Vermeulen --- policy/modules/admin/su.if | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 03ec5ca..db7940c 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -91,6 +91,10 @@ template(`su_restricted_domain_template', ` miscfiles_read_localization($1_su_t) + ifdef(`distro_gentoo',` + selinux_get_fs_mount($1_su_t) + ') + ifdef(`distro_redhat',` # RHEL5 and possibly newer releases incl. Fedora auth_domtrans_upd_passwd($1_su_t) @@ -233,6 +237,10 @@ template(`su_role_template',` userdom_use_user_terminals($1_su_t) userdom_search_user_home_dirs($1_su_t) + ifdef(`distro_gentoo',` + selinux_get_fs_mount($1_su_t) + ') + ifdef(`distro_redhat',` # RHEL5 and possibly newer releases incl. Fedora auth_domtrans_upd_passwd($1_su_t) -- 1.8.1.5