Addition of selinux users causes "Multiple same specifications" warnings during startup

Daniel J Walsh dwalsh at redhat.com
Mon Oct 18 17:05:23 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/18/2010 12:38 PM, Radha Venkatesh (radvenka) wrote:
>  
> Dan,
> 
> Clarifying my email / question further - The login is as an admin user,
> and su / sudo is done to execute the applications as these users
> mentioned below (nologin users). What action can I take to prevent the
> warnings for multiple specifications? 
> 
> Thanks,
> Radha.
> 
> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
> Sent: Friday, October 15, 2010 2:13 PM
> To: Radha Venkatesh (radvenka)
> Cc: fedora-selinux-list at redhat.com
> Subject: Re: Addition of selinux users causes "Multiple same
> specifications" warnings during startup
> 
> On 10/15/2010 04:58 PM, Radha Venkatesh (radvenka) wrote:
> 
>> Dan,
> 
>> I have created SeLinux users which can take on roles of system_r and 
>> sysadm_r and tied them the Linux users created (though they are 
>> nologin). This is needed so that these linux users can execute 
>> applications in our product taking on system_r or sysadm_r roles.
> 
>> Thanks,
>> Radha.
> 
> Right but how do they get logged on to the machine?
> 
>> -----Original Message-----
>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>> Sent: Friday, October 15, 2010 12:53 PM
>> To: Radha Venkatesh (radvenka)
>> Cc: fedora-selinux-list at redhat.com
>> Subject: Re: Addition of selinux users causes "Multiple same 
>> specifications" warnings during startup
> 
>> On 10/15/2010 03:27 PM, Radha Venkatesh (radvenka) wrote:
> 
>>> Dan,
> 
>>> These users do not login to the system and their shells are already 
>>> set to /sbin/nologin.
> 
>>> Thanks,
>>> Radha.
> 
>> Then why are you assigning user context to the accounts.  
>> genhomedircon must have a bug in that it is ignoring the shell if the 
>> user has an assigned seusers label.
> 
>>> -----Original Message-----
>>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>>> Sent: Friday, October 15, 2010 12:18 PM
>>> To: Radha Venkatesh (radvenka)
>>> Cc: fedora-selinux-list at redhat.com
>>> Subject: Re: Addition of selinux users causes "Multiple same 
>>> specifications" warnings during startup
> 
>>> On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote:
> 
>>>> Yes, for security reasons, /dev/null is being used as the homedir 
>>>> for
> 
>>>> users in our product.
> 
>>>> Thanks,
>>>> Radha. 
> 
>>>> -----Original Message-----
>>>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>>>> Sent: Friday, October 15, 2010 12:02 PM
>>>> To: Radha Venkatesh (radvenka)
>>>> Cc: fedora-selinux-list at redhat.com
>>>> Subject: Re: Addition of selinux users causes "Multiple same 
>>>> specifications" warnings during startup
> 
>>>> On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
>>>>> I have created SeLinux users using "semanage user" and tied the 
>>>>> SeLinux users to Linux users using "semanage login". I find that on
> 
>>>>> startup, there are several warnings thrown for "Multiple same
>>>> specifications".
>>>>> Below is an example
> 
>>>>> /etc/selinux/strict/contexts/files/file_contexts: Multiple same 
>>>>> specifications for /dev/null/\.screenrc
> 
>>>>> I then checked and found that file_contexts has
> 
>>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0
>>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0
>>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>>> specialuser_u:object_r:user_screen_ro_home_t:s0
>>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0
>>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0
>>>>> file_contexts.homedirs:/dev/null/\.screenrc     --
>>>>> specialuser_u:object_r:user_screen_ro_home_t:s0
> 
>>>>> Looks like there is an entry for every Linux user I tied to the 
>>>>> SeLinux user.
> 
>>>>> I am using
> 
>>>>> libselinux-1.33.4-5.5.el5
>>>>> libsemanage-1.9.1-4.4.el5
>>>>> policycoreutils-1.33.12-14.8.el5
>>>>> libsepol-1.15.2-3.el5
> 
>>>>> and do not have an option to move to later releases.
> 
>>>>> Is there a way for me to get rid of these warnings or suppress 
>>>>> them,
> 
>>>>> without changing the source code provided by RedHat?
> 
>>>>> Thanks,
>>>>> Radha.
> 
> 
> 
> 
> 
> 
> 
>>>>> --
>>>>> selinux mailing list
>>>>> selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> This looks like /dev/null is defined as a homedir?
- --
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Yes if a user never logs into a system there is no reason to associate a
login record to that account.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAky8flMACgkQrlYvE4MpobNSLgCgggWlqEu6gnreogFt6NoO6mTd
L3AAn2x8EmkOUhP1TlbH75I86QxHMvux
=jJ+z
-----END PGP SIGNATURE-----

More information about the selinux mailing list