Score:0

Tenable su+sudo and selinux

in flag

My Not-A-Sysadmin-Boss wants me to explain this but I can't really find an answer? When using TENABLE SC to scan a RHEL7 system the account used to do the scan connects via ssh then uses sudo to perform its checks. But when selinux is enforcing some checks cannot be performed, one such check does a cat of /etc/passwd but is denied when selinux is enforcing. The work around is to configure SC to use su+sudo for the account connecting. First SC makes an ssh connection with a unprivileged account then does an su to a user with sudo rights that can run the checks and now they work. So basically I am trying to understand why logging in directly with a sudo user to run certain checks fails with selinux enforcing but logging in then doing a su to a sudo user can. Tenable's articles on this don't really cover the selinux aspect of this.

Tom Yan avatar
in flag
Define `su+sudo`. Did you run `sudo su` then `cat /etc/passwd` or just `su` then run `sudo cat /etc/passwd`? If you are referring to the latter, it's probably you that is silly, as you don't need sudo to be root when you are already root. If you are referring to the former, then it's probably SELinux that is silly / being pointless. It's at least reasonable that it consider sudo less safe than su, as sudo could allow privilege escalation without needing the root / any password at all. But if it only blocks some file reading with sudo yet not running su, then meh.
djdomi avatar
za flag
In that case you could run su -c cmd you won't need to use su sudo cmd
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.