FC3 dump/restore
by Mike Carifio
If I dump an ext3 file system for backup, will the file security
attributes get saved?
Will they by restored by /restore? /Pl. advise. Thanks.
18 years, 9 months
Re: Changing Permisions
by Scot Elkington
Hi John-- this isn't really an SELinux issue, so I'm replying off-line.
If it helps, here's what I did for a similar setup in a fashion that makes
some use of the standard unix/linux DAC-based security system.
Your fat32 partition is being mounted by default with owner/group of root.
A solution for me was to change the group assigned to that partition, then
associate those users I wanted to allow access to the fat32 partition with
that group. By giving read/write/execute permissions to that group,
non-root users can access the partition.
So create a group for the people you wish to allow access to your windows
partition. For example, from the command line in fedora, type
system-config-users, or otherwise select 'Users and Groups' from the
'System Settings' menu. In the resulting window, click the 'Add Group'
button and create a name for your windows-users group (I named my group
"dos"). Now click the 'groups' tab and you should see your newly-created
group, along with the Group ID number of your group, a three-digit number
like '502'. Make a note of your new group ID number. (you can also find
the group id by examining the file /etc/group).
Now doubleclick your new group, and click on the 'Group Users' tab in the
new window. There will be a whole slew of system-specific users there;
find among them the usernames of those users you wish to allow access to
your windows partition and add them to the group by checking them off.
You can do the same thing by instead clicking the 'Users' tab in the main
window of the users/groups gui, double-clicking each user you wish to add,
and checking off the "DOS" group (or equivalent) in the 'Groups' tab of
the new window.
Now we need to make sure the partition gets mounted under the DOS group
each time at boot. As root, open the file /etc/fstab ('file system
table') for editing. You should see a list of 6 or so space-delimited
fields describing each partition you mount in your installation.
Identify your windows partition, which you can probably find from the
mount point in the second column or the filesystem type in the third
column ('vfat'). In the fourth column, make sure it reads
"defaults,gid=YOURGROUPID,umask=007", where YOURGROUPID is the group ID
number of the new group noted above.
On my system, for example, the appropriate line in /etc/fstab now looks
like
/dev/hda1 /win98 vfat defaults,gid=502,umask=007 0 0
This tells the system to mount the windows partition at /dev/hda1 under
the root directory /win98, assign it to the group 502 (my 'dos' group),
and set default permissions to 770: root gets read/write/execute
permissions, anyone in group DOS gets read/write/execute, and anyone not
explicitly in group DOS can neither see nor write to the windows
partition.
Now reboot. when linux comes back up, type 'ls -l /' at the command line
and you should see the directory your windows partition is mounted under
listed something as follows:
drwxrwx--- 9 root dos 4096 Apr 1 13:21 win98
Hope those suggestions help. let me know if you have any questions.....
--scot
__________
Scot R. Elkington Voice: 303-735-0810
LASP, University of Colorado Fax: 303-492-6444
1234 Innovation Drive scot.elkington(a)lasp.colorado.edu
Boulder, CO 80303 http://lasp.colorado.edu/~elkingto
> Date: Sat, 19 Feb 2005 18:00:52 -0600
> From: "John Ramsbacher" <jbbacher(a)hotmail.com>
> Subject: Changing Permisions
> To: fedora-selinux-list(a)redhat.com
>
> I'm a N00b so be patient.
>
> I've installed Fedora Core 3 on a duel boot system with windows 98 (fat 32)
> and have mounted the windows partition from Fedora but find that I can only
> write to the windows partition if I'm logged in as root. How do I change
> the permissions to allow me to write to certain folders on the windows
> partition without compromising the security biult into SELinux. Remember
> that I'm new to this so try to explain it step by step or point me to a web
> page that explains it step by step. Much Thanks. John
>
>
18 years, 9 months
load_policy in chroot question
by Bob Kashani
When I install the selinux-policy-targeted rpm in a chroot it seems that
load_policy is executed and loads the policy that's installed in the
chroot into the running kernel (I'm assuming via %post). Should
installing the selinux-policy-targeted rpm in a chroot allow this to
happen? What if you're installing a policy into the chroot that's
different than the one you have installed on your system? Is there a way
to not allow load_policy to execute in a chroot?
Here is the AVC messages I'm getting:
Jan 8 21:38:23 chaucer kernel: audit(1105249103.605:0): avc: granted
{ load_policy } for pid=4233 exe=/usr/sbin/load_policy
scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Jan 8 21:38:23 chaucer kernel: security: 3 users, 4 roles, 316 types,
20 bools
Jan 8 21:38:23 chaucer kernel: security: 53 classes, 7962 rules
Bob
--
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome
18 years, 9 months
Changing Permisions
by John Ramsbacher
I'm a N00b so be patient.
I've installed Fedora Core 3 on a duel boot system with windows 98 (fat 32)
and have mounted the windows partition from Fedora but find that I can only
write to the windows partition if I'm logged in as root. How do I change
the permissions to allow me to write to certain folders on the windows
partition without compromising the security biult into SELinux. Remember
that I'm new to this so try to explain it step by step or point me to a web
page that explains it step by step. Much Thanks. John
18 years, 9 months
Permissions for new users
by Richard Jensen
Hi. I'm wondering about the permissions new users get
when they are created. Before SELinux I had to add users
to 'wheel' to enable them to su to root.
I did an adduser and it seems to be unrestricted:
[testse@lankhmar ~]$ id -Z
user_u:system_r:unconfined_t
and the user is able to su to root. Is this normal?
How would I keep the user from being able to su?
I added:
user testse roles { user_r };
to /etc/selinux/targeted/src/policy/users
and did: make load
This didn't seem to make any difference.
This is on FC3 (2.6.10-1.760_FC3)
selinux-policy-targeted-1.17.30-2.75
[root@lankhmar ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
I'm not sure if this is clear, or enough information.
I tried searching the archives but didn't find anything.
[I may be searching incorrectly].
Thanks,
Richard.
18 years, 9 months
New user/role transition error
by Steve Brueckner
I'm trying to add a new role and test it by adding a user with access to
that role. I can su to the new user, but then when I try to newrole I get
"... is not a valid context". Here are my steps so far; I'm starting from
the default strict policy:
#useradd engineer
Added the following to .../strict/src/policy/users
user engineer roles { user_r developer_r };
Added the following to .../strict/src/policy/domains/user.te
full_user_role(developer)
allow system_r developer_r
allow sysadm_r developer_r
allow user_r developer_r
allow staff_r developer_r
Added the following into in_user_role macro in
.../strict/src/policy/macros/user_macros.te
role developer_r types $1;
Added the following to .../strict/src/policy/appconfig/default_type
developer_r:user_t
#make load
steve$ id -Z
user_u:user_r:user_t
steve$ su engineer
engineer$ id -Z
engineer:user_r:user_t
engineer$ newrole -r developer_r
engineer:developer_r:user_t is not a valid context
Any ideas what I've neglected in setting this up? Thanks!
18 years, 9 months
file_contexts.homedirs: line 1408 ???? Missing LF?
by Tom London
Running targeted, latest Rawhide.
After installing today's updates, 'restorecon -v -R /etc' produces:
[root@tlondon ~]# restorecon -v -R /etc
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line
1408 is too long, would be truncated, skipping
but file_contexts.homedirs has only 22 lines.
(file_contexts has 1385 lines; 1385+22=1407...?)
Looks like file_contexts.homedirs is missing trailing LF.
tom
--
Tom London
18 years, 9 months
Fedora Core 2: initrd failed to mount ext3 root fs.
by KokHow Teh
Hi list;
I just installed Fedora Core 2 last 2 days. The binaries work fine
from the installation CDs that I have no problem installing the full system
and booting up the machine i686 P4. However, when I build the kernel from
the source with the default configuration for arch/i386, booting up the
machine failed due to initrd failing to mount the ext3 root file system. It
failed when linuxrc trying to mount the root fs with pivot_root(). Any
insight is appreciated.
Thanks.
Regards,
TEH
18 years, 9 months
