On Tue, Sep 15, 2009 at 03:57:45PM +0200, Roberto Sassu wrote:
Hello all
i'm new to SELinux. I'm trying to create per-user domains in a system running
Fedora 11 with the targeted policy enabled. The reason for that is that i need
to create transitions to different domains when users start the same
application.
I followed these steps:
- written my custom policy module(posted as attachment) in order to create new
roles user1_r, user2_r with the default domains user1_t and user2_t;
- added to the system new selinux users user1_u and user2_u;
- added to the system the new linux users user1 and user2;
- associated user1 with user1_u and user2 with user2_u;
- labeled home directories respectively with types user1_home_t and
user2_home_t
- created the two files user1_u and user2_u in
/etc/selinux/targeted/contexts/users;
Then i tried to connect in local to the ssh server from root to the user1 but
it rejected the connection with this log messages (but no AVC warnings):
Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port
53163 ssh2
Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation
failed
Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to
query: Would you like to enter a security context? [N]
Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get
valid context for user1
Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened
for user user1 by (uid=0)
Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session():
Authentication failure
Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty:
security_compute_relabel: Invalid argument
If putting the system in permissive mode the connection was successful but the
security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023
Any suggestions? Thanks in advance.
policy_module(usermod,1.0.0)
userdom_base_user_template(user1)
userdom_base_user_template(user2)
access_to_home(user1)
access_to_home(user2)
## <summary></summary>
interface(`access_to_home',`
require {
type home_root_t;
type local_login_t, fs_t, proc_t, sshd_t;
}
type $1_home_t;
type_transition $1_t $1_home_t:{file dir} $1_home_t;
allow local_login_t $1_home_t:dir search;
allow $1_t $1_home_t:dir { write search read create open getattr add_name };
allow $1_t $1_home_t:file { read write create open getattr append };
allow $1_t home_root_t:dir { search read open getattr };
allow $1_home_t fs_t:filesystem associate;
allow $1_t proc_t:file { read open };
allow sshd_t $1_home_t:dir search;
')
/home/user1(/.*)? gen_context(user1_u:object_r:user1_home_t,s0)
/home/user2(/.*)? gen_context(user2_u:object_r:user2_home_t,s0)
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r
system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r
system_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
unconfined_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
user1_u user1 s0 s0 user1_r
user2_u user2 s0 s0 user2_r
user4 user s0 s0 user_r
user_u user s0 s0-s0:c0.c1023 user_r
xguest_u user s0 s0 xguest_r
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
test1 user_u s0
user1 user1_u s0
user2 user2_u s0
user4 user_u s0
oh,
and the userdom template you are using does not have all the permissions for a login user
i believe.
i would just base if it on the current user_u policy so probably:
userdom_unpriv_user_template()
Also if you doo not see avc denials try: semodule -DB / -B to show/hide silenced denials
Also keep an eye on messages for DBUS denials.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list