From: dac.override@gmail.com (Dominick Grift)
Date: Mon, 14 Nov 2016 19:15:54 +0100
Subject: [refpolicy] su_exec
In-Reply-To: <67130EC7AFA3FE4E9290B03665B351F40669E4@SE-EX022.groupinfra.com>
References: <67130EC7AFA3FE4E9290B03665B351F40669E4@SE-EX022.groupinfra.com>
Message-ID: <6ebc2667-b50e-e227-c6fd-16c7454c3c8c@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/14/2016 05:11 PM, Fakim, Walid wrote:
> Hi Guys,
> 
> So for this process am trying to confine, the startup script is using su -c rather than runuser and even though I've got su_exec(mydomain_t) in my te file, it's prompting for a password at startup.
> 
> Any thoughts or experience of seeing this before?
> 
> Thanks.
> 
> Best Regards,
> 
> Walid Fakim
> 
> 

Add pam_rootok.so to /etc/pam.d/su maybe?

Also you may need to allow ":passwd rootok;" permission

If it hit that then the event should show up as a "USER_AVC" in
audit.log (ausearch -m USER_AVC -ts today)

In the past there was a problem with PAMs' SELinux awareness and it was
not logging USER_AVC denials. That should now be fixed.


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161114/b6331b12/attachment.bin