Hi...
Now I am trying to configuring RBAC using MLS (Multilevel Security) Policy for fedora 8. Because i have read danwalsh jornal he side MLS policy is more use full for RBAC. * http://danwalsh.livejournal.com/?skip=40 Using RBAC In FC5/MLS Policy*
So i am using MLS policy for RBAC. Here i have installed MLS packages and changed to targeted policy in to mls policy. Then i have configured the roles for users but i couldn't set the roles because when i am setting the roles it will display the error message.
Steps to reproduce:
1) Adding the SELinux audit user using semanage command.
# semanage user -a -R staff_r -R auditadm_r -P staff audit_u
2) Here i am checking SELinux user.
[root@turtle2 ~]# semanage user -l
Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles
audit_u staff SystemLow SystemLow staff_r auditadm_r root sysadm SystemLow SystemLow:SystemLow-SystemHigh system_r sysadm_r staff_r secadm_r auditadm_r staff_u staff SystemLow SystemLow:SystemLow-SystemHigh sysadm_r staff_r secadm_r auditadm_r sysadm_u sysadm SystemLow SystemLow:SystemLow-SystemHigh sysadm_r system_u user SystemLow SystemLow:SystemLow-SystemHigh system_r user_u user SystemLow SystemLow system_r user_r [root@turtle2 ~]#
3) Now i am setting the Linux user to SELinux users, when i am setting the SELinux user it will throw the error message as follows.
[root@turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh prakash
libsemanage.validate_handler: selinux user audit does not exist No such file or directory. libsemanage.validate_handler: seuser mapping [prakash -> (audit, s0-s15:c0.c1023)] is invalid No such file or directory. libsemanage.dbase_llist_iterate: could not iterate over records No such file or directory. /usr/sbin/semanage: Could not add login mapping for prakash [root@turtle2 ~]#
4) I am using sysadm_r root information as follows
[root@turtle2 ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh [root@turtle2 ~]#
5) This is i am getting audit log messages using ausearch command.
[root@turtle2 ~]# ausearch -i -m AVC -sv no type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386 syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808 a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=gam_server exe=/usr/libexec/gam_server subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc: denied { read } for pid=2060 comm=gam_server path=inotify dev=inotifyfs ino=1 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
I don't know why its throwing this error. I have searched in to google but i couldn't find.
Please help me what should i do.
Thanks, Prakash
Hi...
Now I am trying to configuring RBAC using MLS (Multilevel Security) Policy for fedora 8. Because i have read danwalsh jornal he side MLS policy is more use full for RBAC. * http://danwalsh.livejournal.com/?skip=40 Using RBAC In FC5/MLS Policy*
So i am using MLS policy for RBAC. Here i have installed MLS packages and changed to targeted policy in to mls policy. Then i have configured the roles for users but i couldn't set the roles because when i am setting the roles it will display the error message.
Steps to reproduce:
1) Adding the SELinux audit user using semanage command.
# semanage user -a -R staff_r -R auditadm_r -P staff audit_u
2) Here i am checking SELinux user.
[root@turtle2 ~]# semanage user -l
Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles
audit_u staff SystemLow SystemLow staff_r auditadm_r root sysadm SystemLow SystemLow:SystemLow-SystemHigh system_r sysadm_r staff_r secadm_r auditadm_r staff_u staff SystemLow SystemLow:SystemLow-SystemHigh sysadm_r staff_r secadm_r auditadm_r sysadm_u sysadm SystemLow SystemLow:SystemLow-SystemHigh sysadm_r system_u user SystemLow SystemLow:SystemLow-SystemHigh system_r user_u user SystemLow SystemLow system_r user_r [root@turtle2 ~]#
3) Now i am setting the Linux user to SELinux users, when i am setting the SELinux user it will throw the error message as follows.
[root@turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh prakash
libsemanage.validate_handler: selinux user audit does not exist No such file or directory. libsemanage.validate_handler: seuser mapping [prakash -> (audit, s0-s15:c0.c1023)] is invalid No such file or directory. libsemanage.dbase_llist_iterate: could not iterate over records No such file or directory. /usr/sbin/semanage: Could not add login mapping for prakash [root@turtle2 ~]#
4) I am using sysadm_r root information as follows
[root@turtle2 ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh [root@turtle2 ~]#
5) This is i am getting audit log messages using ausearch command.
[root@turtle2 ~]# ausearch -i -m AVC -sv no type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386 syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808 a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=gam_server exe=/usr/libexec/gam_server subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc: denied { read } for pid=2060 comm=gam_server path=inotify dev=inotifyfs ino=1 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
I don't know why its throwing this error. I have searched in to google but i couldn't find.
Please help me what should i do.
Thanks, Prakash
On Sun, 2008-06-15 at 22:06 +0530, prakash hallalli wrote:
Hi...
Now I am trying to configuring RBAC using MLS (Multilevel Security) Policy for fedora 8. Because i have read danwalsh jornal he side MLS policy is more use full for RBAC.
Again, to clarify, you don't have to use MLS policy if all you want is roles. And Fedora 9 is the latest release of Fedora.
http://danwalsh.livejournal.com/?skip=40 Using RBAC In FC5/MLS Policy
So i am using MLS policy for RBAC. Here i have installed MLS packages and changed to targeted policy in to mls policy. Then i have configured the roles for users but i couldn't set the roles because when i am setting the roles it will display the error message.
Steps to reproduce:
- Adding the SELinux audit user using semanage command.
# semanage user -a -R staff_r -R auditadm_r -P staff audit_u
- Here i am checking SELinux user.
[root@turtle2 ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
audit_u staff SystemLow SystemLow staff_r auditadm_r root sysadm SystemLow SystemLow:SystemLow-SystemHigh system_r sysadm_r staff_r secadm_r auditadm_r staff_u staff SystemLow SystemLow:SystemLow-SystemHigh sysadm_r staff_r secadm_r auditadm_r sysadm_u sysadm SystemLow SystemLow:SystemLow-SystemHigh sysadm_r system_u user SystemLow SystemLow:SystemLow-SystemHigh system_r user_u user SystemLow SystemLow system_r user_r [root@turtle2 ~]#
- Now i am setting the Linux user to SELinux users, when i am setting
the SELinux user it will throw the error message as follows.
[root@turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh prakash libsemanage.validate_handler: selinux user audit does not exist No such file or directory. libsemanage.validate_handler: seuser mapping [prakash -> (audit, s0-s15:c0.c1023)] is invalid No such file or directory. libsemanage.dbase_llist_iterate: could not iterate over records No such file or directory. /usr/sbin/semanage: Could not add login mapping for prakash [root@turtle2 ~]#
You typed "audit" rather than "audit_u" above. Looks like a typo in the blog.
- I am using sysadm_r root information as follows
[root@turtle2 ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh [root@turtle2 ~]#
- This is i am getting audit log messages using ausearch command.
[root@turtle2 ~]# ausearch -i -m AVC -sv no type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386 syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808 a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=gam_server exe=/usr/libexec/gam_server subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc: denied { read } for pid=2060 comm=gam_server path=inotify dev=inotifyfs ino=1 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
I don't know why its throwing this error. I have searched in to google but i couldn't find.
Please help me what should i do.
Thanks, Prakash
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org