[Cialug] {External} Re: Rhel 7 Selinux settings for Root user

Kelly Slaugh KSlaugh at Studentloan.org
Wed Aug 16 17:42:40 UTC 2017


The restorecon command I ran was with the -R switch. Sorry I didn't mention that..

#restorecon -R /

I did check and both /usr/bin/bash & /bin/bash have the same context as you...

ls -lZ /usr/bin/bash - system_u:object_r:shell_exec_t:s0 /usr/bin/bash

ls -lZ /bin/bash - system_u:object_r:shell_exec_t:s0 /bin/bash



-----Original Message-----
From: Cialug [mailto:cialug-bounces at cialug.org] On Behalf Of Hasler, Chris
Sent: Wednesday, August 16, 2017 12:03 PM
To: 'Central Iowa Linux Users Group' <cialug at cialug.org>
Subject: Re: [Cialug] {External} Re: Rhel 7 Selinux settings for Root user

Based on the error, looks as if the SELinux context issue is with /usr/bin/bash.

Look at the bash command on the system
# which bash
Check the inode of /bin/bash vs. /usr/bin/bash  - inode should be the same # ls -li /bin/bash # ls -li /usr/bin/bash Then check the SELinux context for each # ls -lZ /usr/bin/bash # ls -lZ /bin/bash

On a Oracle Linux 7 system this is the SELinux context I see for bash # ls -lZ /usr/bin/bash -rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /usr/bin/bash

The error indicates on your systems seems to indicate that /usr/bin/bash has the following SELinux context:
sysadm_u:sysadm_r:sysadm_t:s0   rather than     system_u:object_r:shell_exec_t:s0

You mentioned running restorecon on / but not with the -R (recursive) option, so try the following and then check the SELinux contect again.
# restorecon  -R -v /bin/

Chris H.


-----Original Message-----
From: Cialug [mailto:cialug-bounces at cialug.org] On Behalf Of Kelly Slaugh
Sent: Wednesday, August 16, 2017 11:06 AM
To: 'Central Iowa Linux Users Group'
Subject: Re: [Cialug] {External} Re: Rhel 7 Selinux settings for Root user

[This is an external email. Be cautious with links, attachments and responses.]

**********************************************************************
Well as I expected this is a SELinux problem with invalid contexts for yum.



Looking at log file audit.log I can see that there is an SELINUX_ERR being reported for /bin/yum when I attempt to run the command on the console logged in as root.



Restorecon has been ran on / however no positive results.



The audit.log show this...



# ausearch -a 20311



----

time->Wed Aug 16 10:46:13 2017

type=PATH msg=audit(1502898373.250:20311): item=0 name="/bin/yum" inode=91063 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_exec_t:s0 objtype=NORMAL

type=CWD msg=audit(1502898373.250:20311):  cwd="/root"

type=SYSCALL msg=audit(1502898373.250:20311): arch=c000003e syscall=59 success=no exit=-13 a0=13f2090 a1=13cafc0 a2=13c6dd0 a3=7ffef18bdfb0 items=1 ppid=5835 pid=5853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=33 comm="bash" exe="/usr/bin/bash" subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)

type=SELINUX_ERR msg=audit(1502898373.250:20311): op=security_compute_sid invalid_context=sysadm_u:system_r:rpm_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=process



Any ideas?



Everything is working for me on the system, I'm not going to use root on the console to run commands and I can run the yum command if I need to by first calling python so this is not like the system is not working. I'm more curious on how I can fix SELinux to allow the context or manipulate SELinux to set the correct permissions on the system.



I was able to fix a couple of issues that turned up for some other software on the system by looking in the /var/log/messages & audit.log files. Ran sealer for a few items that popped up when searching messages for "SELinux is preventing" @ChrisHasler thanks for that advice.



-----Original Message-----

From: Cialug [mailto:cialug-bounces at cialug.org] On Behalf Of Hasler, Chris

Sent: Wednesday, August 16, 2017 9:36 AM

To: 'Central Iowa Linux Users Group' <cialug at cialug.org>

Subject: Re: [Cialug] {External} Re: Rhel 7 Selinux settings for Root user



Seems it is a SELinux context issue.

Running the following to see if anything helpful is in the logs.



# grep "SELinux is preventing" /var/log/messages # grep "denied" /var/log/audit/audit.log



Check the context on the yum and python commands # ls -lZ /bin/yum # ls -lZ /usr/bin/python*



Sometimes I've seen this SELinux context issue with user home directory files that have been copied from another server/location.   Since you say the issue is when the root user logs in try restoring the context setting on the root users home subdirectory

# restorecon -R -v /root



Chris H.



-----Original Message-----

From: Cialug [mailto:cialug-bounces at cialug.org] On Behalf Of Kelly Slaugh

Sent: Wednesday, August 16, 2017 8:43 AM

To: 'Central Iowa Linux Users Group'

Subject: Re: [Cialug] {External} Re: Rhel 7 Selinux settings for Root user



[This is an external email. Be cautious with links, attachments and responses.]



**********************************************************************

Thanks for your suggestions. I wanted to make the situation a little clearer so I'm not using my phone to type the email.







Root user is part of the sysadm_u context not unconfined_u, however, even if I add root to unconfined_u the situation with running any local scripts fails. The problem isn't only with the yum command; that was just one example of many.







#semanage login -l







Login Name              SELinux User







__default__             unconfined_u



Root                    sysadm_u



System_u                system_u







What I did find out is that if I run the full path of the command yum works.







#/usr/bin/python /bin/yum check-update"/







The situation is ONLY when logging onto the RHEL 7.3 server through a console as root, if I sudo up to root or log in with a different user & su as root the command "#yum check-update" works. If I'm logged in as root through the console and try to run commands that run scripts I get errors like these.







# yum check-update



# -bash: /bin/yum: /usr/bin/python: bad interpreter: Permission denied







Any ideas?







Thanks,















-----Original Message-----



From: Cialug [mailto:cialug-bounces at cialug.org] On Behalf Of Zachary Kotlarek



Sent: Tuesday, August 15, 2017 1:29 PM



To: Central Iowa Linux Users Group <cialug at cialug.org>



Subject: {External} Re: [Cialug] Rhel 7 Selinux settings for Root user











On 15 Aug 2017, at 7:27, kslaugh19 wrote:







> In Rhel 7, we continue to receive permission denied when logged in as



> Root on a console with selinux enforced.



> If I run the yum command as Root, not sudoing as Root, I get a python



> error. If I run the same yum command but first call the program



> python, yum works. Any ideas on what sebool needs enabled so that root



> can run scripts or programs without having to call the program first?



> Setting selinux as permissive works but not an option.



> Any ideas?



> I've ran the command setsebool and tried to locate any sebool setting



> and toggled quite a bit without any luck.











There are lots of fiddly bits that could be broken, but I’d start with the broadest possibilities:







What context do you have in the root shell (or whatever you’re launching `yum` from)? On RHEL the default for root is “unconfined_u”, which should allow almost anything. Use `id -Z` to see your current context or `semanage login -l` to list all user contexts.



https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html







Another thing to check is the on-disk labels; context transitions for executables depend on accurate disk labeling, but the labels are dependent on the policy as compiled so it’s possible for the disk to get out-of-sync with policy. There are utilities like `restorecon` and `fixfiles` for small-scale relabeling; the recommended procedure for global relabeling is to mark the filesystem and let it happen as part of the boot process:



https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-sel-fsrelabel.html







        Zach











________________________________







This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the originator of the message. This footer also confirms that this e-mail message has been scanned for the presence of computer viruses. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of Iowa Student Loan.







_______________________________________________

Cialug mailing list

Cialug at cialug.org

https://urldefense.proofpoint.com/v2/url?u=http-3A__cialug.org_mailman_listinfo_cialug&d=DwIGaQ&c=GUDVeAVg1gjs_GJkmwL1m3gEzDND7NeJG5BIAX_2yRE&r=GXxd8Yye2eczAtdhphpq7XV3t9eWOHwaF519KS--Ch4&m=ilZEM1JtTBWtM2-2Tapn0rsfnllWENn9mW2j6HRrjpw&s=10EN5hYXA7a_j53bdCKtIWSX3ITC5unmLNASATGcpdU&e=

_______________________________________________

Cialug mailing list

Cialug at cialug.org

https://urldefense.proofpoint.com/v2/url?u=http-3A__cialug.org_mailman_listinfo_cialug&d=DwIGaQ&c=GUDVeAVg1gjs_GJkmwL1m3gEzDND7NeJG5BIAX_2yRE&r=GXxd8Yye2eczAtdhphpq7XV3t9eWOHwaF519KS--Ch4&m=cJMeUjiMlcvLwn2agYA8uU_fq_V_DAsCzAXJcB5sjTM&s=oP5Frr7RmbNtzbEkHxCMqMiRM0gFXi802yxn6B4qOqE&e=



________________________________



This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the originator of the message. This footer also confirms that this e-mail message has been scanned for the presence of computer viruses. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of Iowa Student Loan.



_______________________________________________
Cialug mailing list
Cialug at cialug.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__cialug.org_mailman_listinfo_cialug&d=DwIGaQ&c=GUDVeAVg1gjs_GJkmwL1m3gEzDND7NeJG5BIAX_2yRE&r=GXxd8Yye2eczAtdhphpq7XV3t9eWOHwaF519KS--Ch4&m=cJMeUjiMlcvLwn2agYA8uU_fq_V_DAsCzAXJcB5sjTM&s=oP5Frr7RmbNtzbEkHxCMqMiRM0gFXi802yxn6B4qOqE&e=
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

________________________________

This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the originator of the message. This footer also confirms that this e-mail message has been scanned for the presence of computer viruses. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of Iowa Student Loan.



More information about the Cialug mailing list