# [solved] SELinux enforcing - root doesn't have root access!

## mattwood2000

OK all you SELinux experts...I finally worked through all the initial headaches of getting SELinux up and running without avc errors in dmesg.  Long story short I had to create a few custom policies based on this thread: https://forums.gentoo.org/viewtopic-t-808498-highlight-audit2allow.html.

Now that I got all of that done, I'm trying to get enforcing mode to play nicely.  I can boot in enforcing mode, but a couple strange things happen after that:

If I login as my normal user and then 'su', I get root access, but immediately I get this error:

```

bash: /root/.bashrc: Permission denied

```

And, as I expected, I really don't have root permissions - If I cd out of /root and then try to cd back in I get a permission denied.  Also, I don't seem to be able to operate on any files that are normally available to root (i.e ls, nano, touch, cat, etc.).

However, if I login as root directly then I get my full access.

For SSH, I have disabled root logins.  If I try to log in with my normal user via SSH, I authenticate my password, but immediately the session is terminated.  I get this avc error:

```

avc:  denied  { setkeycreate }

 for  pid=3698 comm="sshd" scontext=system_u:system_r:sshd_t tcontext=system_u:s

ystem_r:sshd_t tclass=process

```

I had a similar error for SSH before and I simply created a policy module for it:

```

#============= sshd_t ==============

allow sshd_t port_t:tcp_socket name_bind;

```

I'm guessing that I would just update my policy with the current avc denial info in order to allow it?  I just want to be 100% sure on SSH because this box is going to be a server exposed to the whole world and I will need SSH access for myself and don't want to take any chances.

Any info would be really appreciated.

Thanks, Matt.

Here is some info about the system:

/etc/securetty:

```

vc/0

vc/1

vc/2

vc/3

vc/4

vc/5

vc/6

vc/7

vc/8

vc/9

vc/10

vc/11

vc/12

#tty0

tty1

#tty2

#tty3

#tty4

#tty5

#tty6

#tty7

#tty8

#tty9

#tty10

#tty11

#tty12

tts/0

ttyS0

```

sestatus -v output:

```

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   permissive

Mode from config file:          permissive

Policy version:                 24

Policy from config file:        strict

Process contexts:

Current context:                user_u:user_r:user_t

Init context:                   system_u:system_r:init_t

/sbin/agetty                    system_u:system_r:getty_t

/usr/sbin/sshd                  system_u:system_r:sshd_t

File contexts:

Controlling term:               user_u:object_r:user_devpts_t

/sbin/init                      system_u:object_r:init_exec_t

/sbin/agetty                    system_u:object_r:getty_exec_t

/bin/login                      system_u:object_r:login_exec_t

/sbin/rc                        system_u:object_r:initrc_exec_t

/sbin/runscript.sh              system_u:object_r:initrc_exec_t

/usr/sbin/sshd                  system_u:object_r:sshd_exec_t

/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t

/etc/passwd                     system_u:object_r:etc_t

/etc/shadow                     system_u:object_r:shadow_t

/bin/sh                         system_u:object_r:bin_t -> system_u:object_r:shell_exec_t

/bin/bash                       system_u:object_r:shell_exec_t

/usr/bin/newrole                system_u:object_r:newrole_exec_t

/lib/libc.so.6                  system_u:object_r:lib_t -> system_u:object_r:lib_t

/lib/ld-linux.so.2              system_u:object_r:lib_t -> system_u:object_r:ld_so_t

```

getsebool -a:

```

allow_execheap --> off

allow_execmem --> off

allow_execmod --> off

allow_execstack --> off

allow_mount_anyfile --> off

allow_polyinstantiation --> off

allow_ptrace --> off

allow_rsync_anon_write --> off

allow_smbd_anon_write --> off

allow_ssh_keysign --> off

allow_user_mysql_connect --> off

allow_user_postgresql_connect --> off

allow_ypbind --> off

cron_can_relabel --> off

fcron_crond --> off

global_ssp --> on

init_upstart --> off

mail_read_content --> off

named_write_master_zones --> off

nfs_export_all_ro --> off

nfs_export_all_rw --> off

read_default_t --> off

read_untrusted_content --> off

rsync_export_all_ro --> off

samba_domain_controller --> off

samba_enable_home_dirs --> off

samba_export_all_ro --> off

samba_export_all_rw --> off

samba_run_unconfined --> off

samba_share_nfs --> off

secure_mode --> off

secure_mode_insmod --> off

secure_mode_policyload --> off

ssh_sysadm_login --> off

use_nfs_home_dirs --> off

use_samba_home_dirs --> off

user_direct_mouse --> off

user_dmesg --> on

user_ping --> off

user_rw_noexattrfile --> off

user_tcp_server --> off

user_ttyfile_stat --> off

write_untrusted_content --> off

```

Last edited by mattwood2000 on Sun Mar 28, 2010 6:51 pm; edited 1 time in total

----------

## mattwood2000

OK so I guess this is solved...I figured out that I needed to add my normal user to the SELinux (i.e use semanage).  

I added my normal user to the group sysadm_u - now I don't have any more of the bashrc permission denied messages when I 'su'.  Also, the su'ed root has access to everything it is supposed to have.

On a somewhat related topic, I find it interesting that when I su to root, if I run 'who' - root doesn't show up as being logged in.  Is this normal?  I guess I never noticed this before, but that seems strange that it would be hidden.

In the mean time I've also gotten SSH to work and samba to work on my intranet side of the server by creating custom policies.

My only questions now are on the policies I've created - are they safe?  Or in other words is this the normal method to give only as much access as necessary for what I'm  trying to accomplish - samba share read/write, and SSH access for remote administration with only my normal user.

Any comments would be appreciated.

Thanks, Matt.

getsebool -a:

```

allow_execheap --> off

allow_execmem --> off

allow_execmod --> off

allow_execstack --> off

allow_mount_anyfile --> off

allow_polyinstantiation --> off

allow_ptrace --> off

allow_rsync_anon_write --> off

allow_smbd_anon_write --> off

allow_ssh_keysign --> off

allow_user_mysql_connect --> off

allow_user_postgresql_connect --> off

allow_ypbind --> off

cron_can_relabel --> off

fcron_crond --> off

global_ssp --> on

init_upstart --> off

mail_read_content --> off

named_write_master_zones --> off

nfs_export_all_ro --> off

nfs_export_all_rw --> off

read_default_t --> off

read_untrusted_content --> off

rsync_export_all_ro --> off

samba_domain_controller --> on

samba_enable_home_dirs --> off

samba_export_all_ro --> off

samba_export_all_rw --> on

samba_run_unconfined --> off

samba_share_nfs --> off

secure_mode --> off

secure_mode_insmod --> off

secure_mode_policyload --> off

ssh_sysadm_login --> on

use_nfs_home_dirs --> off

use_samba_home_dirs --> off

user_direct_mouse --> off

user_dmesg --> on

user_ping --> off

user_rw_noexattrfile --> off

user_tcp_server --> off

user_ttyfile_stat --> off

write_untrusted_content --> off

```

sshd_t.te:

```

policy_module(sshd,1.0.2)

require {

type sshd_t;

type port_t;

type sysadm_t;

}

#============= sshd_t ==============

allow sshd_t port_t:tcp_socket name_bind;

allow sshd_t self:process setkeycreate;

allow sshd_t sysadm_t:key create;

```

smb_t.te:

```

policy_module(smbd,1.0.0)

require {

type smbd_t;

type dosfs_t;

}

#============= smbd_t ==============

allow smbd_t dosfs_t:dir { search getattr setattr add_name remove_name rmdir rename read write create };

allow smbd_t dosfs_t:file { getattr setattr lock unlink rename read write create };

```

----------

