Resend: Error sending status request (Operation not permitted)

Stephen Smalley sds at tycho.nsa.gov
Fri Jan 27 14:08:48 UTC 2006 

On Fri, 2006-01-27 at 08:16 -0500, Bruce Ecroyd wrote:
> I recently switched from FC4 targeted (enforcing) to strict
> (permissive) using selinux-policy-strict-1.27.1-2.16.noarch.rpm.
> I did a touch /.autorelabel before rebooting.

Please turn off HTML mail in your mail client; it isn't desirable for
public mailing lists in particular.

> I see this: 
> [bruce at BorgCube ~]$ su -
> Password:
> Error sending status request (Operation not permitted)
> [root at BorgCube ~]#
>  
> The last part of the /var/log/audit/audit.log shows:
> type=SYSCALL msg=audit(1138247001.111:13162965): arch=40000003
> syscall=5 success=yes exit=3 a0=866125b a1=c2 a2=180 a3=3a8083 items=1
> pid=8250 auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0
> egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su"
> type=AVC msg=audit(1138247001.111:13162965): avc:  denied  { create }
> for  pid=8250 comm="su" name=.xauthVpNVFy
> scontext=user_u:user_r:user_t
> tcontext=user_u:object_r:sysadm_home_dir_t tclass=file

Under strict policy, users can only use 'su' if they are assigned the
staff_r role.  Unless you turn on the user_canbe_sysadm tunable and
rebuild the policy.  So you need to authorize your username for staff_r.
Under FC4, you can do this via:
vi /etc/selinux/strict/users/local.users
<uncomment the entry for 'jadmin' and replace 'jadmin' with your own
username>
/usr/sbin/load_policy /etc/selinux/strict/policy/policy.19
/usr/sbin/genhomedircon
/sbin/restorecon -R /home/<username>

Alternatively, you can install selinux-policy-strict-sources,
cd /etc/selinux/strict/src/policy, and edit its users file, followed by
a make load and the above restorecon.

Alterntively, you can install selinux-policy-strict-sources,
cd /etc/selinux/strict/src/policy, and edit the tunables/tunable.tun
file, enable the user_canbe_sysadm tunable (by removing the dnl prefix),
followed by a make load.  In which case you (and any other user_r user)
can use su (still requiring them to know the root password).  But that
isn't as secure.

As a heads up, note that this approach will be obsoleted in FC5.
In FC5, you can map Linux users to predefined SELinux pseudo-users (like
staff_u) using the semanage tool and not need to rebuild or reload
policy (although you still have to label the user's home directory).

> If I change to strict, enforcing, will this prevent me from su to
> root?

Yes, it should, since you weren't authorized for staff_r.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list