Hi,
i'm quite new on SELinux, learning stuff mostly by trial and error.
For securing custom (daemon) programs and scripts, i prepared a number of confined domains, and debugged it all under permissive mode.
Among others, some of the scripts use "su" for changing from "root" to another common user. Naturally this won't need password.
The script calling "su" runs in a confined domain, i declared su_role_template(that_domain) for it to work well - at least in permissive mode.
My problem is, when i switch to enforcing mode, the "su" commands starts asking for a password (linux login password of the common user).
I don't know why, and i need to get rid of it. No AVC is generated at all, so no easy clue here.
Does somebody know how ? I don't need answers like "don't use su" or similar, this is mostly about SELinux rules.
Thanks much !
Résumé: script runs in confined domain, calls su (su_role_template) to change from root to user. If enforcing mode, su asks for password (no AVC hint).
SELinux: su and confined domain
Re: SELinux: su and confined domain
Not sure, but have you confirmed the behavior by running an su <command> from the script on the command line while in enforcing mode?
Maybe su calls another module or object (like pam/pam.conf) which needs its selinux permissions set for the user(??).
Possibly trace the su <command> to see what modules are being called and check selinux config on those for the user?
Maybe su calls another module or object (like pam/pam.conf) which needs its selinux permissions set for the user(??).
Possibly trace the su <command> to see what modules are being called and check selinux config on those for the user?
Re: SELinux: su and confined domain
Try using runuser see http://danwalsh.livejournal.com/55588.html