From: walid.fakim@cgi.com (Fakim, Walid) Date: Mon, 14 Nov 2016 18:22:35 +0000 Subject: [refpolicy] su_exec In-Reply-To: <6ebc2667-b50e-e227-c6fd-16c7454c3c8c@gmail.com> References: <67130EC7AFA3FE4E9290B03665B351F40669E4@SE-EX022.groupinfra.com> <6ebc2667-b50e-e227-c6fd-16c7454c3c8c@gmail.com> Message-ID: <67130EC7AFA3FE4E9290B03665B351F4066B04@SE-EX022.groupinfra.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Thanks Dom - I'll experiment with that. I can see that pam_rootok.so is already present in /lib64/security Am using CentOS 6.8 so might be susceptible to that bug you mention. I'll try adding the permission - Am assuming you mean -> allow mydomain_t self:passwd rootok; <- ? Thanks. Best Regards, Walid Fakim -----Original Message----- From: Dominick Grift [mailto:dac.override at gmail.com] Sent: 14 November 2016 18:16 To: Fakim, Walid; refpolicy@oss.tresys.com Subject: Re: su_exec On 11/14/2016 05:11 PM, Fakim, Walid wrote: > Hi Guys, > > So for this process am trying to confine, the startup script is using su -c rather than runuser and even though I've got su_exec(mydomain_t) in my te file, it's prompting for a password at startup. > > Any thoughts or experience of seeing this before? > > Thanks. > > Best Regards, > > Walid Fakim > > Add pam_rootok.so to /etc/pam.d/su maybe? Also you may need to allow ":passwd rootok;" permission If it hit that then the event should show up as a "USER_AVC" in audit.log (ausearch -m USER_AVC -ts today) In the past there was a problem with PAMs' SELinux awareness and it was not logging USER_AVC denials. That should now be fixed. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift