[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Error sending status request (Operation not permitted)

From: Russell Coker <russell coker com au>
To: fedora-selinux-list redhat com
Cc:
Subject: Re: Error sending status request (Operation not permitted)
Date: Fri, 24 Feb 2006 11:40:59 +1100

On Thursday 26 January 2006 14:51, Bruce Ecroyd <bruce ecroyd gmail com> 
wrote:
> The last part of the /var/log/audit/audit.log shows:
> type=SYSCALL msg=audit(1138247001.111:13162965): arch=40000003 syscall=5
> success=yes exit=3 a0=866125b a1=c2 a2=180 a3=3a8083 items=1 pid=8250
> auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100
> fsgid=100 comm="su" exe="/bin/su"
> type=AVC msg=audit(1138247001.111:13162965): avc:  denied  { create } for
> pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t
> tcontext=user_u:object_r:sysadm_home_dir_t tclass=file

When running as user_u you should not be creating any files in a directory 
with label sysadm_home_dir_t.  If such file creation was permitted then 
user_t would be able to subvert sysadm_t.

> If I change to strict, enforcing, will this prevent me from su to root?

If you login as staff_r:staff_t then you will be able to su to root with 
administrative privs, otherwise not.  This is by design.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]