Addition of selinux users causes "Multiple same specifications" warnings during startup

Radha Venkatesh (radvenka) radvenka at cisco.com
Fri Oct 15 22:28:40 UTC 2010 

These users do not log onto the machine. They just execute these
applications (su / sudo)

Thanks,
Radha. 

-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh at redhat.com] 
Sent: Friday, October 15, 2010 2:13 PM
To: Radha Venkatesh (radvenka)
Cc: fedora-selinux-list at redhat.com
Subject: Re: Addition of selinux users causes "Multiple same
specifications" warnings during startup

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/15/2010 04:58 PM, Radha Venkatesh (radvenka) wrote:
> 
> Dan,
> 
> I have created SeLinux users which can take on roles of system_r and 
> sysadm_r and tied them the Linux users created (though they are 
> nologin). This is needed so that these linux users can execute 
> applications in our product taking on system_r or sysadm_r roles.
> 
> Thanks,
> Radha.

Right but how do they get logged on to the machine?
> 
> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
> Sent: Friday, October 15, 2010 12:53 PM
> To: Radha Venkatesh (radvenka)
> Cc: fedora-selinux-list at redhat.com
> Subject: Re: Addition of selinux users causes "Multiple same 
> specifications" warnings during startup
> 
> On 10/15/2010 03:27 PM, Radha Venkatesh (radvenka) wrote:
> 
>> Dan,
> 
>> These users do not login to the system and their shells are already 
>> set to /sbin/nologin.
> 
>> Thanks,
>> Radha.
> 
> Then why are you assigning user context to the accounts.  
> genhomedircon must have a bug in that it is ignoring the shell if the 
> user has an assigned seusers label.
> 
>> -----Original Message-----
>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>> Sent: Friday, October 15, 2010 12:18 PM
>> To: Radha Venkatesh (radvenka)
>> Cc: fedora-selinux-list at redhat.com
>> Subject: Re: Addition of selinux users causes "Multiple same 
>> specifications" warnings during startup
> 
>> On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote:
> 
>>> Yes, for security reasons, /dev/null is being used as the homedir 
>>> for
> 
>>> users in our product.
> 
>>> Thanks,
>>> Radha. 
> 
>>> -----Original Message-----
>>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>>> Sent: Friday, October 15, 2010 12:02 PM
>>> To: Radha Venkatesh (radvenka)
>>> Cc: fedora-selinux-list at redhat.com
>>> Subject: Re: Addition of selinux users causes "Multiple same 
>>> specifications" warnings during startup
> 
>>> On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
>>>> I have created SeLinux users using "semanage user" and tied the 
>>>> SeLinux users to Linux users using "semanage login". I find that on

>>>> startup, there are several warnings thrown for "Multiple same
>>> specifications".
>>>> Below is an example
> 
>>>> /etc/selinux/strict/contexts/files/file_contexts: Multiple same 
>>>> specifications for /dev/null/\.screenrc
> 
>>>> I then checked and found that file_contexts has
> 
>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0
>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0
>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>> specialuser_u:object_r:user_screen_ro_home_t:s0
>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0
>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0
>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>> specialuser_u:object_r:user_screen_ro_home_t:s0
> 
>>>> Looks like there is an entry for every Linux user I tied to the 
>>>> SeLinux user.
> 
>>>> I am using
> 
>>>> libselinux-1.33.4-5.5.el5
>>>> libsemanage-1.9.1-4.4.el5
>>>> policycoreutils-1.33.12-14.8.el5
>>>> libsepol-1.15.2-3.el5
> 
>>>> and do not have an option to move to later releases.
> 
>>>> Is there a way for me to get rid of these warnings or suppress 
>>>> them,
> 
>>>> without changing the source code provided by RedHat?
> 
>>>> Thanks,
>>>> Radha.
> 
> 
> 
> 
> 
> 
> 
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> This looks like /dev/null is defined as a homedir?
- --
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAky4w9AACgkQrlYvE4MpobMupQCdFmM4qMTbQ0mUyVdJ164KO7H7
Uw4AoJsRbeMfRbJsBsNd1Ab0Qny7Jc7B
=yB73
-----END PGP SIGNATURE-----

More information about the selinux mailing list