(2010/04/08 16:52), Dominick Grift wrote:
On Thu, Apr 08, 2010 at 09:24:28AM +0900, KaiGai Kohei wrote:
> I'm trying to set up a certain user to login with non-traditional
> selinux roles (such as dbadm_u), but it does not work well.
> Am I missing something?
Webadm_r is a secondary privileged user domain not a login user domain.
Thus you can only access it via a login user domain that is allowed to
role transition to webadm_r:
Ahh, indeed, webadm uses userdom_base_user_template() template.
semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r webadm_r
system_r unconfined_r sysadm_r" -P user staff_u
useradd -Z staff_u joe
echo joe ALL=(ALL) TYPE=webadm_t ROLE=webadm_r ALL">> /etc/sudoers
passwd joe
< ..login as joe...>
sudo service httpd restart
sudo -s
There are some fundamental differences between dbadm and webadm.
The dbadm is a login user domain and webadm is not.
staff_r is not allowed to transition to dbadm_r currently
Hmm. it seems to me I misunderstood direction of the design for
*adm roles. I also think the suggested one is better than that
'joe' always performs in webadm_r role.
So, I'll try to revise the policy of dbadm role.
> [root@saba ~]# rpm -q selinux-policy
> selinux-policy-3.7.15-4.fc13.noarch
>
> [root@saba ~]# semanage user -a -R webadm_r webadm_u
> [root@saba ~]# semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range SELinux Roles
>
> guest_u user s0 s0 guest_r
> root user s0 s0-s0:c0.c1023 staff_r sysadm_r
system_r unconfined_r
> staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r
system_r unconfined_r
> sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
> system_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
> unconfined_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
> user_u user s0 s0 user_r
> webadm_u user s0 s0 webadm_r
> xguest_u user s0 s0 xguest_r
>
> [root@saba ~]# semanage login -a -s webadm_u ymj
> [root@saba ~]# semanage login -l
>
> Login Name SELinux User MLS/MCS Range
>
> __default__ unconfined_u s0-s0:c0.c1023
> root unconfined_u s0-s0:c0.c1023
> system_u system_u s0-s0:c0.c1023
> ymj webadm_u s0
>
> [root@saba ~]# cd /etc/selinux/targeted/contexts/users/
> [root@saba users]# cat user_u | sed 's/user_/webadm_/g'> webadm_u
> [root@saba users]# cat webadm_u
> system_r:local_login_t:s0 webadm_r:webadm_t:s0
> system_r:remote_login_t:s0 webadm_r:webadm_t:s0
> system_r:sshd_t:s0 webadm_r:webadm_t:s0
> system_r:crond_t:s0 webadm_r:webadm_t:s0
> system_r:xdm_t:s0 webadm_r:webadm_t:s0
> webadm_r:webadm_su_t:s0 webadm_r:webadm_t:s0
> webadm_r:webadm_sudo_t:s0 webadm_r:webadm_t:s0
> system_r:initrc_su_t:s0 webadm_r:webadm_t:s0
> webadm_r:webadm_t:s0 webadm_r:webadm_t:s0
>
> [root@saba users]# ssh ymj@localhost
> ymj@localhost's password:
> Last login: Thu Apr 8 09:12:43 2010 from localhost
> Connection to localhost closed.
>
> [root@saba users]# setenforce 0
> [root@saba users]# ssh ymj@localhost
> ymj@localhost's password:
> Last login: Thu Apr 8 09:12:56 2010 from localhost
> [ymj@saba ~]$ id -Z
> system_u:system_r:unconfined_t:s0-s0:c0.c1023
>
>
> With "semanage -BD", I could find the following avc denial audit logs
> during above command execution, but it does not seem to me these
> violations prevent ymj's login directly.
>
> type=AVC msg=audit(1270685681.731:24535): avc: denied { rlimitinh } for pid=17257
comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.731:24535): avc: denied { siginh } for pid=17257
comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.731:24535): avc: denied { noatsecure } for pid=17257
comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.748:24537): avc: denied { rlimitinh } for pid=17259
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.748:24537): avc: denied { siginh } for pid=17259
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.748:24537): avc: denied { noatsecure } for pid=17259
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.770:24544): avc: denied { siginh } for pid=17262
comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.770:24544): avc: denied { noatsecure } for pid=17262
comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.925:24545): avc: denied { write } for pid=17259
comm="setroubleshootd" name="rpm" dev=sda3 ino=180226
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
> type=AVC msg=audit(1270685681.926:24546): avc: denied { write } for pid=17259
comm="setroubleshootd" name="__db.001" dev=sda3 ino=180240
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
>
> I guess pam_selinux.so kills the connection due to lack of something to be
> configured in enforcing mode.
>
> Do you have any suggestion?
> --
> KaiGai Kohei<kaigai(a)ak.jp.nec.com>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>