[Cialug] {External} Re: Rhel 7 Selinux settings for Root user

Wed Aug 16 13:43:02 UTC 2017

Thanks for your suggestions. I wanted to make the situation a little clearer so I'm not using my phone to type the email.

Root user is part of the sysadm_u context not unconfined_u, however, even if I add root to unconfined_u the situation with running any local scripts fails. The problem isn't only with the yum command; that was just one example of many.

#semanage login -l

Login Name              SELinux User

__default__             unconfined_u
Root                    sysadm_u
System_u                system_u

What I did find out is that if I run the full path of the command yum works.

#/usr/bin/python /bin/yum check-update"/

The situation is ONLY when logging onto the RHEL 7.3 server through a console as root, if I sudo up to root or log in with a different user & su as root the command "#yum check-update" works. If I'm logged in as root through the console and try to run commands that run scripts I get errors like these.

# yum check-update
# -bash: /bin/yum: /usr/bin/python: bad interpreter: Permission denied

Any ideas?

Thanks,

-----Original Message-----
From: Cialug [mailto:cialug-bounces at cialug.org] On Behalf Of Zachary Kotlarek
Sent: Tuesday, August 15, 2017 1:29 PM
To: Central Iowa Linux Users Group <cialug at cialug.org>
Subject: {External} Re: [Cialug] Rhel 7 Selinux settings for Root user

On 15 Aug 2017, at 7:27, kslaugh19 wrote:

> In Rhel 7, we continue to receive permission denied when logged in as
> Root on a console with selinux enforced.
> If I run the yum command as Root, not sudoing as Root, I get a python
> error. If I run the same yum command but first call the program
> python, yum works. Any ideas on what sebool needs enabled so that root
> can run scripts or programs without having to call the program first?
> Setting selinux as permissive works but not an option.
> Any ideas?
> I've ran the command setsebool and tried to locate any sebool setting
> and toggled quite a bit without any luck.

There are lots of fiddly bits that could be broken, but I’d start with the broadest possibilities:

What context do you have in the root shell (or whatever you’re launching `yum` from)? On RHEL the default for root is “unconfined_u”, which should allow almost anything. Use `id -Z` to see your current context or `semanage login -l` to list all user contexts.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html

Another thing to check is the on-disk labels; context transitions for executables depend on accurate disk labeling, but the labels are dependent on the policy as compiled so it’s possible for the disk to get out-of-sync with policy. There are utilities like `restorecon` and `fixfiles` for small-scale relabeling; the recommended procedure for global relabeling is to mark the filesystem and let it happen as part of the boot process:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-sel-fsrelabel.html

        Zach

________________________________

This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the originator of the message. This footer also confirms that this e-mail message has been scanned for the presence of computer viruses. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of Iowa Student Loan.