[Cialug] Rhel 7 Selinux settings for Root user
Zachary Kotlarek
zach at kotlarek.com
Tue Aug 15 18:28:51 UTC 2017
On 15 Aug 2017, at 7:27, kslaugh19 wrote:
> In Rhel 7, we continue to receive permission denied when logged in
> as Root on a console with selinux enforced.
> If I run the yum command as Root, not sudoing as Root, I get a
> python error. If I run the same yum command but first call the
> program python, yum works. Any ideas on what sebool needs enabled so
> that root can run scripts or programs without having to call the
> program first?
> Setting selinux as permissive works but not an option.
> Any ideas?
> I've ran the command setsebool and tried to locate any sebool
> setting and toggled quite a bit without any luck.
There are lots of fiddly bits that could be broken, but I’d start with
the broadest possibilities:
What context do you have in the root shell (or whatever you’re
launching `yum` from)? On RHEL the default for root is “unconfined_u”,
which should allow almost anything. Use `id -Z` to see your current
context or `semanage login -l` to list all user contexts.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
Another thing to check is the on-disk labels; context transitions for
executables depend on accurate disk labeling, but the labels are
dependent on the policy as compiled so it’s possible for the disk to
get out-of-sync with policy. There are utilities like `restorecon` and
`fixfiles` for small-scale relabeling; the recommended procedure for
global relabeling is to mark the filesystem and let it happen as part
of the boot process:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-sel-fsrelabel.html
Zach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2483 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20170815/3996aa67/attachment.bin>
More information about the Cialug
mailing list