Steps to login with non-traditional selinux roles

KaiGai Kohei kaigai at ak.jp.nec.com
Fri Apr 9 01:33:07 UTC 2010 

(2010/04/08 16:52), Dominick Grift wrote:
> On Thu, Apr 08, 2010 at 09:24:28AM +0900, KaiGai Kohei wrote:
>> I'm trying to set up a certain user to login with non-traditional
>> selinux roles (such as dbadm_u), but it does not work well.
>> Am I missing something?
> 
> Webadm_r is a secondary privileged user domain not a login user domain.
> 
> Thus you can only access it via a login user domain that is allowed to
> role transition to webadm_r:

Ahh, indeed, webadm uses userdom_base_user_template() template.

> semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r webadm_r system_r unconfined_r sysadm_r" -P user staff_u
> useradd -Z staff_u joe
> echo joe ALL=(ALL) TYPE=webadm_t ROLE=webadm_r ALL">>  /etc/sudoers
> passwd joe
> 
> <  ..login as joe...>
> 
> sudo service httpd restart
> sudo -s
> 
> There are some fundamental differences between dbadm and webadm.
> 
> The dbadm is a login user domain and webadm is not.
> staff_r is not allowed to transition to dbadm_r currently

Hmm. it seems to me I misunderstood direction of the design for
*adm roles. I also think the suggested one is better than that
'joe' always performs in webadm_r role.

So, I'll try to revise the policy of dbadm role.

>> [root at saba ~]# rpm -q selinux-policy
>> selinux-policy-3.7.15-4.fc13.noarch
>>
>> [root at saba ~]# semanage user -a -R webadm_r webadm_u
>> [root at saba ~]# semanage user -l
>>
>>                  Labeling   MLS/       MLS/
>> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
>>
>> guest_u         user       s0         s0                             guest_r
>> root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
>> staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
>> sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
>> system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
>> unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
>> user_u          user       s0         s0                             user_r
>> webadm_u        user       s0         s0                             webadm_r
>> xguest_u        user       s0         s0                             xguest_r
>>
>> [root at saba ~]# semanage login -a -s webadm_u ymj
>> [root at saba ~]# semanage login -l
>>
>> Login Name                SELinux User              MLS/MCS Range
>>
>> __default__               unconfined_u              s0-s0:c0.c1023
>> root                      unconfined_u              s0-s0:c0.c1023
>> system_u                  system_u                  s0-s0:c0.c1023
>> ymj                       webadm_u                  s0
>>
>> [root at saba ~]# cd /etc/selinux/targeted/contexts/users/
>> [root at saba users]# cat user_u | sed 's/user_/webadm_/g'>  webadm_u
>> [root at saba users]# cat webadm_u
>> system_r:local_login_t:s0       webadm_r:webadm_t:s0
>> system_r:remote_login_t:s0      webadm_r:webadm_t:s0
>> system_r:sshd_t:s0              webadm_r:webadm_t:s0
>> system_r:crond_t:s0             webadm_r:webadm_t:s0
>> system_r:xdm_t:s0               webadm_r:webadm_t:s0
>> webadm_r:webadm_su_t:s0         webadm_r:webadm_t:s0
>> webadm_r:webadm_sudo_t:s0               webadm_r:webadm_t:s0
>> system_r:initrc_su_t:s0         webadm_r:webadm_t:s0
>> webadm_r:webadm_t:s0            webadm_r:webadm_t:s0
>>
>> [root at saba users]# ssh ymj at localhost
>> ymj at localhost's password:
>> Last login: Thu Apr  8 09:12:43 2010 from localhost
>> Connection to localhost closed.
>>
>> [root at saba users]# setenforce 0
>> [root at saba users]# ssh ymj at localhost
>> ymj at localhost's password:
>> Last login: Thu Apr  8 09:12:56 2010 from localhost
>> [ymj at saba ~]$ id -Z
>> system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>
>>
>> With "semanage -BD", I could find the following avc denial audit logs
>> during above command execution, but it does not seem to me these
>> violations prevent ymj's login directly.
>>
>> type=AVC msg=audit(1270685681.731:24535): avc:  denied  { rlimitinh } for  pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.731:24535): avc:  denied  { siginh } for  pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.731:24535): avc:  denied  { noatsecure } for  pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.748:24537): avc:  denied  { rlimitinh } for  pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.748:24537): avc:  denied  { siginh } for  pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.748:24537): avc:  denied  { noatsecure } for  pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.770:24544): avc:  denied  { siginh } for  pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.770:24544): avc:  denied  { noatsecure } for  pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.925:24545): avc:  denied  { write } for  pid=17259 comm="setroubleshootd" name="rpm" dev=sda3 ino=180226 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
>> type=AVC msg=audit(1270685681.926:24546): avc:  denied  { write } for  pid=17259 comm="setroubleshootd" name="__db.001" dev=sda3 ino=180240 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
>>
>> I guess pam_selinux.so kills the connection due to lack of something to be
>> configured in enforcing mode.
>>
>> Do you have any suggestion?
>> -- 
>> KaiGai Kohei<kaigai at ak.jp.nec.com>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux


-- 
KaiGai Kohei <kaigai at ak.jp.nec.com>

More information about the selinux mailing list