On Sun, 2008-06-15 at 22:06 +0530, prakash hallalli wrote:
Hi...
Now I am trying to configuring RBAC using MLS (Multilevel Security)
Policy for fedora 8.
Because i have read danwalsh jornal he side MLS policy is more use
full for RBAC.
Again, to clarify, you don't have to use MLS policy if all you want is
roles. And Fedora 9 is the latest release of Fedora.
http://danwalsh.livejournal.com/?skip=40
Using RBAC In FC5/MLS Policy
So i am using MLS policy for RBAC. Here i have installed MLS packages
and changed to targeted policy in to mls policy.
Then i have configured the roles for users but i couldn't set the
roles because when i am setting the roles it will display the error
message.
Steps to reproduce:
1) Adding the SELinux audit user using semanage command.
# semanage user -a -R staff_r -R auditadm_r -P staff audit_u
2) Here i am checking SELinux user.
[root@turtle2 ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
audit_u staff SystemLow SystemLow
staff_r auditadm_r
root sysadm SystemLow SystemLow:SystemLow-SystemHigh
system_r sysadm_r staff_r secadm_r auditadm_r
staff_u staff SystemLow SystemLow:SystemLow-SystemHigh
sysadm_r staff_r secadm_r auditadm_r
sysadm_u sysadm SystemLow SystemLow:SystemLow-SystemHigh
sysadm_r
system_u user SystemLow SystemLow:SystemLow-SystemHigh
system_r
user_u user SystemLow SystemLow
system_r user_r
[root@turtle2 ~]#
3) Now i am setting the Linux user to SELinux users, when i am setting
the SELinux user it will throw the error message as follows.
[root@turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh
prakash
libsemanage.validate_handler: selinux user audit does not exist No
such file or directory.
libsemanage.validate_handler: seuser mapping [prakash -> (audit,
s0-s15:c0.c1023)] is invalid No such file or directory.
libsemanage.dbase_llist_iterate: could not iterate over records No
such file or directory.
/usr/sbin/semanage: Could not add login mapping for prakash
[root@turtle2 ~]#
You typed "audit" rather than "audit_u" above. Looks like a typo in
the
blog.
4) I am using sysadm_r root information as follows
[root@turtle2 ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh
[root@turtle2 ~]#
5) This is i am getting audit log messages using ausearch command.
[root@turtle2 ~]# ausearch -i -m AVC -sv no
type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386
syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808
a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) comm=gam_server exe=/usr/libexec/gam_server
subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc: denied
{ read } for pid=2060 comm=gam_server path=inotify dev=inotifyfs
ino=1 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
I don't know why its throwing this error. I have searched in to google
but i couldn't find.
Please help me what should i do.
Thanks,
Prakash
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list --
Stephen Smalley
National Security Agency