My Not-A-Sysadmin-Boss wants me to explain this but I can't really find an answer? When using TENABLE SC to scan a RHEL7 system the account used to do the scan connects via ssh then uses sudo to perform its checks. But when selinux is enforcing some checks cannot be performed, one such check does a cat of /etc/passwd but is denied when selinux is enforcing. The work around is to configure SC to use su+sudo for the account connecting. First SC makes an ssh connection with a unprivileged account then does an su to a user with sudo rights that can run the checks and now they work. So basically I am trying to understand why logging in directly with a sudo user to run certain checks fails with selinux enforcing but logging in then doing a su to a sudo user can. Tenable's articles on this don't really cover the selinux aspect of this.
Asked
Active
Viewed 361 times
0
-
Define `su+sudo`. Did you run `sudo su` then `cat /etc/passwd` or just `su` then run `sudo cat /etc/passwd`? If you are referring to the latter, it's probably you that is silly, as you don't need sudo to be root when you are already root. If you are referring to the former, then it's probably SELinux that is silly / being pointless. It's at least reasonable that it consider sudo less safe than su, as sudo could allow privilege escalation without needing the root / any password at all. But if it only blocks some file reading with sudo yet not running su, then meh. – Tom Yan Sep 12 '21 at 05:37
-
In that case you could run su -c cmd you won't need to use su sudo cmd – djdomi Sep 12 '21 at 16:01