<br><br><div class="gmail_quote">On Thu, Jan 28, 2010 at 5:21 PM, Stephen Smalley <span dir="ltr"><<a href="mailto:sds@tycho.nsa.gov">sds@tycho.nsa.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="h5">On Thu, 2010-01-28 at 15:53 +0100, Leif Thuresson wrote:<br>
> Hi,<br>
> I have been experimenting with confined users in centos54 to create my<br>
> own staff and admin roles.<br>
> I have only been meddling with policies for services before so<br>
> creating user domains is<br>
> new territory for me.<br>
> For the test I used userdom_unpriv_user_template() and<br>
> userdom_admin_user_template()<br>
> interfaces to create the an unprivileged login role and an admin role.<br>
> The first test policy module looked like the one below but without the<br>
> call auth_run_chk_passwd()<br>
> interface.<br>
><br>
> In permissive mode I could login and verify with id -Z that I had the<br>
> correct login role and type.<br>
> I could use newrole to switch to the admin role and again verify that<br>
> I received the correct<br>
> role and type. I did not get any AVC denials when doing this.<br>
><br>
> Now when I switched to enforcing mode I could login to the login role<br>
> as before<br>
> but when I ran newrole to switch to the admin role, newrole said<br>
> 'incorrect password' and failed'<br>
> but still no AVC denials.<br>
> I traced newrole with strace and I could see that it failed trying to<br>
> open /etc/shadow<br>
><br>
> When comparing centos54 interface for newrole in selinuxutil.if with<br>
> corresponding<br>
> interface in fedora12 (where I got a similar test working) I saw that<br>
> the newrole interface in<br>
> fedora12 called interfaces in authlogin.if so I added similar calls<br>
> in my module<br>
> and then I got it working in enforcing mode too !<br>
> Although I think the newrole interface in centos54 is kind of useless<br>
> when it does not<br>
> handle the authentication permissions internally :-(<br>
><br>
> Now before I proceed with this project I would like to clear up my<br>
> understanding of<br>
> user domains so if anyone of you can answer these questions it would<br>
> be much appreciated.<br>
> The ultimate target environment for my project is a RedHat5 based<br>
> server farm.<br>
><br>
> - First of all is this the right way to do this kind of thing or am I<br>
> completely on the wrong track?<br>
> Is the user domain support mature enough in redhat5 to be used in a<br>
> production environment?<br>
> If not I guess I have to wait for redhat6.<br>
><br>
> - Does anyone know how the feature transfer from Fedora to RedHat<br>
> work?<br>
> How much of the selinux functionality existing in Fedora12 can we<br>
> expect to appear in<br>
> RedHat 6 when it arrives?<br>
><br>
> - A assume that the reason my first test failed in enforcing mode<br>
> without any AVC denials was<br>
> because of some hidden don't audit rules in the interfaces I called.<br>
> Is there some way to turn off don't audit rules globally to trace<br>
> these problems ?<br>
> (I tried semodule -DB although it is not listed as a valid option on<br>
> centos54 semodule man<br>
> page, but the only effect it had was that it got the<br>
> setroubleshootd constantly crashing)<br>
><br>
> Thanks,<br>
> /leif<br>
><br>
<br>
</div></div>Don't take this as an authoritative answer, as I don't speak for Red<br>
Hat. However:<br>
1) I was under the impression that user domains in RHEL5 only work if<br>
you switch to the -strict policy first, as RHEL5 preceded the merging of<br>
targeted and strict policies. If you can in fact set up confined user<br>
roles under -targeted in RHEL5, that would be a good thing, but I didn't<br>
think it worked.<br></blockquote><div>Well I can settle for only a users secondary role being confined but I not sure <br>if that work either. This is what I wanted to test.<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2) I'd expect RHEL6 SELinux support to be more-or-less identical to<br>
Fedora 12, possibly with some Fedora 13 bits included.<br>
3) setroubleshootd will typically shut down when it sees an audit<br>
message for itself to avoid an endless cycle, and semodule -DB can<br>
certainly cause that to happen. But you should still get audit data<br>
in /var/log/audit/audit.log and/or /var/log/messages that you can use.<br>
setroubleshootd is just a consumer of it. I didn't know though that<br>
RHEL5 supported semodule -DB; I thought you had to semodule<br>
-b /usr/share/selinux/targeted/enableaudit.pp instead and then semodule<br>
-b /usr/share/selinux/targeted/base.pp to revert (the old way before<br>
semodule -DB existed).<br>
<font color="#888888"><br></font></blockquote><div>It is not mentioned in the man page, but it accepted the options without complaints<br>and something apparently happened. Thanks for the explanation of the setroubleshootd <br>
behavior. I'll look a bit closer at the log messages and see if I can find the missing AVCs<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<font color="#888888">
--<br>
Stephen Smalley<br>
National Security Agency<br>
<br>
</font></blockquote></div><br>