On Thu, Apr 08, 2010 at 09:24:28AM +0900, KaiGai Kohei wrote:
I'm trying to set up a certain user to login with
non-traditional
selinux roles (such as dbadm_u), but it does not work well.
Am I missing something?
Webadm_r is a secondary privileged user domain not a login user domain.
Thus you can only access it via a login user domain that is allowed to role transition to
webadm_r:
semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r webadm_r system_r unconfined_r
sysadm_r" -P user staff_u
useradd -Z staff_u joe
echo joe ALL=(ALL) TYPE=webadm_t ROLE=webadm_r ALL" >> /etc/sudoers
passwd joe
< ..login as joe...>
sudo service httpd restart
sudo -s
There are some fundamental differences between dbadm and webadm.
The dbadm is a login user domain and webadm is not.
staff_r is not allowed to transition to dbadm_r currently
[root@saba ~]# rpm -q selinux-policy
selinux-policy-3.7.15-4.fc13.noarch
[root@saba ~]# semanage user -a -R webadm_r webadm_u
[root@saba ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r
system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r
system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
user_u user s0 s0 user_r
webadm_u user s0 s0 webadm_r
xguest_u user s0 s0 xguest_r
[root@saba ~]# semanage login -a -s webadm_u ymj
[root@saba ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
ymj webadm_u s0
[root@saba ~]# cd /etc/selinux/targeted/contexts/users/
[root@saba users]# cat user_u | sed 's/user_/webadm_/g' > webadm_u
[root@saba users]# cat webadm_u
system_r:local_login_t:s0 webadm_r:webadm_t:s0
system_r:remote_login_t:s0 webadm_r:webadm_t:s0
system_r:sshd_t:s0 webadm_r:webadm_t:s0
system_r:crond_t:s0 webadm_r:webadm_t:s0
system_r:xdm_t:s0 webadm_r:webadm_t:s0
webadm_r:webadm_su_t:s0 webadm_r:webadm_t:s0
webadm_r:webadm_sudo_t:s0 webadm_r:webadm_t:s0
system_r:initrc_su_t:s0 webadm_r:webadm_t:s0
webadm_r:webadm_t:s0 webadm_r:webadm_t:s0
[root@saba users]# ssh ymj@localhost
ymj@localhost's password:
Last login: Thu Apr 8 09:12:43 2010 from localhost
Connection to localhost closed.
[root@saba users]# setenforce 0
[root@saba users]# ssh ymj@localhost
ymj@localhost's password:
Last login: Thu Apr 8 09:12:56 2010 from localhost
[ymj@saba ~]$ id -Z
system_u:system_r:unconfined_t:s0-s0:c0.c1023
With "semanage -BD", I could find the following avc denial audit logs
during above command execution, but it does not seem to me these
violations prevent ymj's login directly.
type=AVC msg=audit(1270685681.731:24535): avc: denied { rlimitinh } for pid=17257
comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.731:24535): avc: denied { siginh } for pid=17257
comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.731:24535): avc: denied { noatsecure } for pid=17257
comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc: denied { rlimitinh } for pid=17259
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc: denied { siginh } for pid=17259
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc: denied { noatsecure } for pid=17259
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.770:24544): avc: denied { siginh } for pid=17262
comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.770:24544): avc: denied { noatsecure } for pid=17262
comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.925:24545): avc: denied { write } for pid=17259
comm="setroubleshootd" name="rpm" dev=sda3 ino=180226
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1270685681.926:24546): avc: denied { write } for pid=17259
comm="setroubleshootd" name="__db.001" dev=sda3 ino=180240
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
I guess pam_selinux.so kills the connection due to lack of something to be
configured in enforcing mode.
Do you have any suggestion?
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux