Russell,
Thanks, I managed to figure that out from the "Getting Started with SELinux HOWTO" from the adding a user section. For a standalone system, I can see how this is no big deal. Every time I add a user, I add the user to the /etc/selinux/users file. But suppose I have 100 machines, I would need to add it to 100 systems. This is why I use NIS to manage my password and shadow files. I suppose one homegrown solution would be to put /etc/selinux/users into an NIS map (users.byname) and periodically (every half-hour perhaps) have a cron job perform a ypcat users.byname > /etc/selinux/users. Is there a standard map one could use or a PAM module that's aware of such needs.
Suppose I wasn't using something as old as NIS, like OpenLDAP, is there a standard mechanism for putting this information into its databases? And if not, should there be one?
Perhaps my problem is simpler to solve than this. All I really need is the user ID of the person who logged in to the system. This identifies whose account was used to perpetrate the illegal access. Could the user ID number and user name be added to the log messages when violations occur? The id command seems to have the information it needs, perhaps the SELinux logger does too? Otherwise, I'd need to do something like I mention above. I'm not really interested in whether the context has the user name. That was just a way of using what seemed to be a built-in capability if I had set things up right. I have no real problem with users running around as user_u:user_r:user_t in the system. I just need to know which user to start talking to when I see they are poking around the system.
Daniel J. Levine Section Supervisor Johns Hopkins University Applied Physics Laboratory 443-778-3952 240-228-3952
-----Original Message----- From: Russell Coker [mailto:russell@coker.com.au] Sent: Thursday, June 10, 2004 2:10 AM To: fedora-selinux-list@redhat.com Cc: Levine, Daniel J. Subject: Re: Getting the user ID in log messages...
On Thu, 10 Jun 2004 01:02, "Levine, Daniel J." Daniel.Levine@jhuapl.edu wrote:
Explanation of log file messages) the example show the following scontext:
scontext: faye:user_r:user_t
This is great, as I would know to contact the user faye and ask about the situation. But on my Fedora Core 2 machine, my /var/log/messages
produces:
scontext: user_u:user_r:user_t
In your users file in the SE Linux policy you need the following: user dan roles user_r;
Then run "make load".
-- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
On Thu, 10 Jun 2004 22:17, "Levine, Daniel J." Daniel.Levine@jhuapl.edu wrote:
Thanks, I managed to figure that out from the "Getting Started with SELinux HOWTO" from the adding a user section. For a standalone system, I can see how this is no big deal. Every time I add a user, I add the user to the /etc/selinux/users file. But suppose I have 100 machines, I would need to add it to 100 systems. This is why I use NIS to manage my password and shadow files. I suppose one homegrown solution would be to put /etc/selinux/users into an NIS map (users.byname) and periodically (every half-hour perhaps) have a cron job perform a ypcat users.byname > /etc/selinux/users. Is there a standard map one could use or a PAM module that's aware of such needs.
There is no standard way of doing this. Maybe you will set the standard if you do it first! ;)
Having a cron job automatically generate and load a SE Linux policy has it's own issues as well.
Suppose I wasn't using something as old as NIS, like OpenLDAP, is there a standard mechanism for putting this information into its databases? And if not, should there be one?
Probably there should. But we'll need to get an OID assigned for this.
Perhaps my problem is simpler to solve than this. All I really need is the user ID of the person who logged in to the system. This identifies whose account was used to perpetrate the illegal access. Could the user ID number and user name be added to the log messages when violations occur?
At the moment no. Maybe this is something for the audit facility rather than SE Linux kernel code.
On Thu, 2004-06-10 at 08:17, Levine, Daniel J. wrote:
Perhaps my problem is simpler to solve than this. All I really need is the user ID of the person who logged in to the system. This identifies whose account was used to perpetrate the illegal access. Could the user ID number and user name be added to the log messages when violations occur
That is something which is best handled by the audit framework. Boot with audit=1. The audit framework already includes support for setting a login uid; someone just needs to patch login and friends to use it.
selinux@lists.fedoraproject.org