[Cialug] {External} Re: Rhel 7 Selinux settings for Root user

Hasler, Chris ChrisHasler at alliantenergy.com
Wed Aug 16 14:36:08 UTC 2017 

Seems it is a SELinux context issue. 
Running the following to see if anything helpful is in the logs. 

# grep "SELinux is preventing" /var/log/messages
# grep "denied" /var/log/audit/audit.log

Check the context on the yum and python commands 
# ls -lZ /bin/yum
# ls -lZ /usr/bin/python*

Sometimes I've seen this SELinux context issue with user home directory files that have been copied from another server/location.   Since you say the issue is when the root user logs in try restoring the context setting on the root users home subdirectory 
# restorecon -R -v /root

Chris H. 

-----Original Message-----
From: Cialug [mailto:cialug-bounces at cialug.org] On Behalf Of Kelly Slaugh
Sent: Wednesday, August 16, 2017 8:43 AM
To: 'Central Iowa Linux Users Group'
Subject: Re: [Cialug] {External} Re: Rhel 7 Selinux settings for Root user

[This is an external email. Be cautious with links, attachments and responses.]

**********************************************************************
Thanks for your suggestions. I wanted to make the situation a little clearer so I'm not using my phone to type the email.



Root user is part of the sysadm_u context not unconfined_u, however, even if I add root to unconfined_u the situation with running any local scripts fails. The problem isn't only with the yum command; that was just one example of many.



#semanage login -l



Login Name              SELinux User



__default__             unconfined_u

Root                    sysadm_u

System_u                system_u



What I did find out is that if I run the full path of the command yum works.



#/usr/bin/python /bin/yum check-update"/



The situation is ONLY when logging onto the RHEL 7.3 server through a console as root, if I sudo up to root or log in with a different user & su as root the command "#yum check-update" works. If I'm logged in as root through the console and try to run commands that run scripts I get errors like these.



# yum check-update

# -bash: /bin/yum: /usr/bin/python: bad interpreter: Permission denied



Any ideas?



Thanks,







-----Original Message-----

From: Cialug [mailto:cialug-bounces at cialug.org] On Behalf Of Zachary Kotlarek

Sent: Tuesday, August 15, 2017 1:29 PM

To: Central Iowa Linux Users Group <cialug at cialug.org>

Subject: {External} Re: [Cialug] Rhel 7 Selinux settings for Root user





On 15 Aug 2017, at 7:27, kslaugh19 wrote:



> In Rhel 7, we continue to receive permission denied when logged in as

> Root on a console with selinux enforced.

> If I run the yum command as Root, not sudoing as Root, I get a python

> error. If I run the same yum command but first call the program

> python, yum works. Any ideas on what sebool needs enabled so that root

> can run scripts or programs without having to call the program first?

> Setting selinux as permissive works but not an option.

> Any ideas?

> I've ran the command setsebool and tried to locate any sebool setting

> and toggled quite a bit without any luck.





There are lots of fiddly bits that could be broken, but I’d start with the broadest possibilities:



What context do you have in the root shell (or whatever you’re launching `yum` from)? On RHEL the default for root is “unconfined_u”, which should allow almost anything. Use `id -Z` to see your current context or `semanage login -l` to list all user contexts.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html



Another thing to check is the on-disk labels; context transitions for executables depend on accurate disk labeling, but the labels are dependent on the policy as compiled so it’s possible for the disk to get out-of-sync with policy. There are utilities like `restorecon` and `fixfiles` for small-scale relabeling; the recommended procedure for global relabeling is to mark the filesystem and let it happen as part of the boot process:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-sel-fsrelabel.html



        Zach





________________________________



This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the originator of the message. This footer also confirms that this e-mail message has been scanned for the presence of computer viruses. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of Iowa Student Loan.



_______________________________________________
Cialug mailing list
Cialug at cialug.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__cialug.org_mailman_listinfo_cialug&d=DwIGaQ&c=GUDVeAVg1gjs_GJkmwL1m3gEzDND7NeJG5BIAX_2yRE&r=GXxd8Yye2eczAtdhphpq7XV3t9eWOHwaF519KS--Ch4&m=ilZEM1JtTBWtM2-2Tapn0rsfnllWENn9mW2j6HRrjpw&s=10EN5hYXA7a_j53bdCKtIWSX3ITC5unmLNASATGcpdU&e=

More information about the Cialug mailing list