Problem creating user in loadable module

Dominick Grift dominick.grift at gmail.com
Wed Nov 14 18:53:08 UTC 2012 


On Wed, 2012-11-14 at 10:25 -0800, Andy Ruch wrote:
> Hello,
> 
> I'm trying to write a module for my custom service that will execute as a separate user. However, I'm having problems creating an SELinux user in the module. When I call make, I get a syntax error. Below is a simple module that reproduces the problem.
> 
> Everything compiles when I comment out the 'allow' line. I can install the module and see my user in semanage. Everything also compiles when I comment out the 'gen_user' line. It only fails when there is something after the 'gen_user'. 
> 
> Can someone tell me the proper syntax for creating a user in a module?
> 

You do not need to create a selinux user for that i believe.

This is a system user. It does not have a login shell

Regardless of the above i will below show you how to create new confined
users

I will touch on two login users. A unprivileged login user and a
restricted login user

The unprivileged login user can login via both the GUI as well as for
example SSH

The restricted login user is designed to only be able to login via SSH.


Simple unpriv login user example:

> policy_module(myunprivloginuser, 1.0.0)
> 
> ########################################
> #
> # Declarations
> #
> 
> role myunprivloginuser_r;
> 
> userdom_unpriv_user_template(myunprivloginuser)


Simple restricted login user example:


> policy_module(myrestrictedloginuser, 1.0.0)
> 
> ########################################
> #
> # Declarations
> #
> 
> role myrestrictedloginuser_r;
> 
> userdom_restricted_user_template(myrestrictedloginuser)

For both users you may need to create a corresponding .fc source policy
file with just a simple comment in it:

># no file contexts for this module

For both modules you will also need to take care of default contexts
That involves creating a file in /etc/selinux/targeted/context/users
that have the same file name as the selinux user name (example
myrestrictedloginuser_u)

the contents can be taken from other default context files that you can
find in that location all you need to do is change the content to
reflect your user

And you need to add a user mapping (example:)

semanage user -a -L s0 -r s0-s0 -R "myrestrictedloginuser_r" -P user
myrestrictedloginuser_u


But again this is not required for your system service (system users) It
is only required for real users

> 
> ******** BEGIN MODULE  ********
> 
> module mytest 1.0;
> 
> require {
>     sensitivity s0;
>     class file { read };
> }
> 
> type mytest_t;
> 
> role mytest_r types { mytest_t };
> gen_user( mytest_u, user, mytest_r, s0, s0 )
> 
> allow mytest_t self:file read;
> 
> ******** END MODULE ********
> 
> 
> Thanks,
> Andrew Ruch             
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list