-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dominick Grift wrote:
On Sat, 2009-02-28 at 17:05 +0530, prakash hallalli wrote:
Hi All,
Thanks for replay to me. This is am getting audit messages form /var/log/audit/audit.log.
type=AVC msg=audit(1235820249.704:255): avc: denied { rlimitinh } for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820249.704:255): avc: denied { noatsecure } for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1235820249.704:255): arch=c000003e syscall=59 success=yes exit=0 a0=402269 a1=7fff186d7030 a2=7fff186d9550 a3=22 items=0 ppid=1 pid=4296 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=USER_AUTH msg=audit(1235820253.552:256): user pid=4296 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: authentication acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_ACCT msg=audit(1235820253.555:257): user pid=4296 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: accounting acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=LOGIN msg=audit(1235820253.560:258): login pid=4296 uid=0 old auid=4294967295 new auid=527 type=USER_ROLE_CHANGE msg=audit(1235820253.567:259): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=prakash:prakash_r:prakash_t:s0 selected-context=prakash:prakash_r:prakash_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_START msg=audit(1235820253.568:260): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: session open acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=CRED_ACQ msg=audit(1235820253.568:261): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: setcred acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_LOGIN msg=audit(1235820253.570:262): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='uid=527: exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=AVC msg=audit(1235820275.060:263): avc: denied { siginh } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820275.060:263): avc: denied { rlimitinh } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820275.060:263): avc: denied { noatsecure } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1235820275.060:263): arch=c000003e syscall=59 success=yes exit=0 a0=402269 a1=7fff1bcb84a0 a2=7fff1bcba9c0 a3=22 items=0 ppid=1 pid=4132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Thanks,
Prakah
The issue is that RHEL5 targeted policy is not designed to target user domains.
The avc denials that you provided do not give me a clue about what is stopping this from working.
It may well be that the denials responsible is hidden.
You can expose hidden denials using :
# semodule -b /usr/share/selinux/targeted/enableaudit.pp
To restore the defaults you would execute:
# semodule -b /usr/share/selinux/targeted/base.pp
After you have exposed the hidden avc denials you may be presented with more clues in audit.log as to what is stopping functionality.
But again, the big issue here is that RHEL5 targeted policy is not designed to target users.
This functionality does work in Fedora 9 and up.
hth , Dominick
On Sat, Feb 28, 2009 at 12:36 AM, Daniel J Walsh dwalsh@redhat.com wrote:
prakash hallalli wrote:
Hi All,
I am using CentOS-5 x86_64, I have followed what uhave sent the
steps. But still i am getting same user login problem. I am
not able to
login user properly in system.
These are i have followed the steps.1. Create a source policy module:-#cd /home/prakash #vi prakash.te policy_module(prakash, 0.0.1) role prakash_r; userdom_unpriv_user_template(prakash);2. Build the source policy module:#make -f /usr/share/selinux/devel/Makefile3. Install the binary policy module:#semodule -i prakash.pp4. Create default contexts for prakash:#cd /etc/selinux/targeted/contexts/users #vi prakash system_r:system_local_login_t:s0prakash_r:prakash_t:s0
system_r:remote_login_t:s0prakash_r:prakash_t:s0
system_r:sshd_t:s0prakash_r:prakash_t:s0
system_r:crond_t:s0prakash_r:prakash_t:s0
system_r:xdm_t:s0prakash_r:prakash_t:s0
prakash_r:prakash_su_t:s0prakash_r:prakash_t:s0
prakash_r:prakash_sudo_t:s0prakash_r:prakash_t:s0
system_r:initrc_su_t:s0prakash_r:prakash_t:s0
prakash_r:prakash_t:s0prakash_r:prakash_t:s0
- Create a SELinux user mapping for prakash:
#semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P userprakash
- Add new prakash user for user1:
#useradd -Z prakash user1
- when i will try to login in the system, will get
permission denied
message.
gtt login: user1 password: XXXXXX
-bash: /home/user1/.bash_profile: Permission denied -bash-3.1$id uid=524(user1) gid=525(user1) groups=525(user1) context=prakash:prakash_r:prakash_t
I tryed to one more user then all so i got same problem.
I am not sure
what i did the mistakes, Please help me what i have to do.
Thanks, Prakash, k, h.
On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh
dwalsh@redhat.com wrote:
prakash hallalli wrote:
Hi All,
I have created 'myuser' user and created custommodule policy
for
user. I have installed successfully module, but when i
logging myuser in
i will get bash prompt. I have followed as below steps for creatingmodule.
#vi myuser.te policy_module(myuser, 0.0.1) role myuser_r;
userdom_unpriv_user_templete(myuser)
#make -f /usr/share/selinux/devel/Makefile #sudo semodule i myuser.pp #semanage user a L s0 r s0s0 L "myuser1_r" P user
myuser1
#useradd Z myuser1 myuser1
I did all the step when i try login in system following
error will
display.
gtt login: myuser password: XXXXXX
-bash: /home/myuser/.bash_profile: Permission denied -bash-3.1$
Please give what should i have to do.
Thanks, Prakash.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Which OS and Version.
Depending on the policy you might need to relabe the homedir
to get the
labels correct.
restorecon -R -v /home
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please attach the AVC messages from /var/log/audit/audit.log.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes if you want to write targeted user protection in RHEL5 you need to use strict or MLS Policy not targeted.