I think I followed your instructions, but got the same result as before. Maybe you can see where I went wrong. This is my 'audit tape' [root@hoho2 init.d]# cd /etc/security/selinux/src/policy [root@hoho2 policy]# ls -l | grep drw drwx------ 2 root root 4096 May 22 23:49 appconfig drwx------ 4 root root 4096 May 22 23:49 domains drwxr-xr-x 4 root root 4096 May 22 23:50 file_contexts drwx------ 2 root root 4096 May 22 23:49 flask drwx------ 3 root root 4096 May 22 23:49 macros drwxr-xr-x 2 root root 4096 May 22 23:49 tmp drwx------ 2 root root 4096 May 22 23:49 types [root@hoho2 policy]# cd domains/program [root@hoho2 program]# ls -l total 1460 ,,, -rw------- 1 root root 349 May 11 10:03 screensaver.te -rw------- 1 root root 357 May 11 10:03 screen.te -rw------- 1 root root 3645 May 11 10:03 sendmail.te -rw------- 1 root root 2093 May 11 10:03 setfiles.te -rw------- 1 root root 1630 May 11 10:03 slapd.te ... Not here - as expected. [root@hoho2 program]# [root@hoho2 program]# ls -l unused total 76 -rw------- 1 root root 13362 May 11 10:03 dpkg.te -rw------- 1 root root 1621 May 11 10:03 gatekeeper.te -rw------- 1 root root 7550 May 11 10:03 qmail.te -rw------- 1 root root 5283 May 11 10:03 seuser.te -rw------- 1 root root 1825 May 11 10:03 tinydns.te -rw------- 1 root root 1184 May 11 10:03 uml_net.te -rw------- 1 root root 2021 May 11 10:03 xprint.te Step 1 - mv [root@hoho2 program]# mv unused/seuser.te . [root@hoho2 program]# [root@hoho2 program]# ls -l se* -rw------- 1 root root 3645 May 11 10:03 sendmail.te -rw------- 1 root root 2093 May 11 10:03 setfiles.te -rw------- 1 root root 5283 May 11 10:03 seuser.te Now it is there [root@hoho2 program]# [root@hoho2 program]# cd .. [root@hoho2 domains]# cd .. [root@hoho2 policy]# cd file_contexts [root@hoho2 file_contexts]# ls file_contexts misc program types.fc [root@hoho2 file_contexts]# cd programs bash: cd: programs: No such file or directory [root@hoho2 file_contexts]# cd program [root@hoho2 program]# pwd /etc/security/selinux/src/policy/file_contexts/program [root@hoho2 program]# vim seuser.fc Step 2 - edit [root@hoho2 program]# cat seuser.fc # seuser /usr/bin/seuser system_u:object_r:seuser_exec_t /usr/share/setools/seuser.conf system_u:object_r:seuser_conf_t [root@hoho2 program]# cd /usr/share/setools [root@hoho2 setools]# ls -l seuser* -rw-r--r-- 1 root root 1808 Apr 19 19:50 seuser.conf -rw-r--r-- 1 root root 8980 Apr 19 19:50 seuser_help.txt [root@hoho2 setools]# Step 3 - remake and reload [root@hoho2 program]# cd /etc/security/selinux/src/policy [root@hoho2 policy]# make 2>&1 | tee make.out ... ... > policy.conf.tmp mv policy.conf.tmp policy.conf mkdir -p /etc/security/selinux /usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf security: 5 users, 7 roles, 1252 types, 1 bools security: 30 classes, 305363 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 17) to /etc/security/selinux/policy.17 Building file_contexts ... install -m 644 file_contexts/file_contexts /etc/security/selinux/file_contexts [root@hoho2 policy]# make reload 2>&1 | tee reload.out /usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers` touch tmp/load [root@hoho2 policy]# [root@hoho2 setools]# cd /etc/security/selinux [root@hoho2 selinux]# ls -l total 29196 -rw-r--r-- 1 root root 87206 May 24 20:12 file_contexts -rw-r--r-- 1 root root 88310 May 11 10:03 file_contexts.rpmnew -rw-r--r-- 1 root root 7383775 May 20 21:37 policy.15.rpmsave -rw-r--r-- 1 root root 7385512 May 20 21:37 policy.16.rpmsave -rw-r--r-- 1 root root 7434273 May 24 20:12 policy.17 -rw-r--r-- 1 root root 7409751 May 11 10:03 policy.17.rpmnew drwx------ 3 root root 4096 May 11 10:03 src [root@hoho2 selinux]# policy.17 seems to have changed as expected Setp 4 - run restorecon [root@hoho2 policy]# /sbin/restorecon -v /usr/bin/seuser /sbin/restorecon set context /usr/bin/seuser->system_u:object_r:seuser_exec_t [root@hoho2 policy]# /sbin/restorecon -v /usr/share/setools/seuser.conf /sbin/restorecon set context /usr/share/setools/seuser.conf->system_u:object_r:seuser_conf_t [root@hoho2 policy]# Step 5 - test [root@hoho2 policy]# which seuser /usr/bin/seuser [root@hoho2 policy]# date Mon May 24 20:26:29 CDT 2004 [root@hoho2 policy]# seuser show users Could not open policy.conf file [root@hoho2 policy]# seuser show Could not open policy.conf file Step 6 - extra information ? [root@hoho2 policy]# [root@hoho2 policy]# ls -l /usr/bin/seuser -rwxr-xr-x 1 root root 106960 Apr 19 19:50 /usr/bin/seuser [root@hoho2 policy]# On Mon, 24 May 2004 17:33:24 -0400, Kerl MacMillan wrote: >> -----Original Message----- >> From: fedora-selinux-list-bounces@xxxxxxxxxx [mailto:fedora-selinux-list- >> bounces@xxxxxxxxxx] On Behalf Of Bob Gustafson >> Sent: Monday, May 24, 2004 2:33 PM >> To: t.pitt@xxxxxxxxxxxxxxxx; Fedora SELinux support list for users & >> developers. >> Subject: Re: New user >> >> Some added information >> >> [root@hoho2 user1]# ls -lZ /etc/security/selinux/src/policy/policy.conf >> -rw-r--r--+ root root >> system_u:object_r:policy_src_t >> /etc/security/selinux/src/policy/policy.conf >> >> [root@hoho2 user1]# cat /proc/version >> Linux version 2.6.6-1.377smp (bhcompile@xxxxxxxxxxxxxxxxxxxxxxx) (gcc >> version 3.3.3 20040412 (Red Hat >> Linux 3.3.3-7)) #1 SMP Sat May 22 15:16:37 EDT 2004 >> >> [root@hoho2 user1]# which seuser >> /usr/bin/seuser >> >> [root@hoho2 user1]# ls -lZ /usr/bin/seuser -rwxr-xr-x+ root root >> system_u:object_r:bin_t >> /usr/bin/seuser >> [root@hoho2 user1]# >> > >This is part of the problem - seuser runs in its own domain so the binary >needs to be labeled seuser_exec_t. Unfortunately it looks like seuser is >quite broken on FC2. You can fix it by: > >1) mv /etc/security/selinux/src/policy/domains/program/unused/seuser.te to >etc/security/selinux/src/policy/domains/program/seuser.te. > >2) edit /etc/security/selinux/src/policy/file_contexts/programs/seuser.fc >changing "/usr/apol/seuser.conf" to "/usr/share/setools/seuser.conf". > >3) remake and reload the policy. > >4) run restorecon on /usr/bin/seuser and /usr/share/setools/seuser.conf > >This should make seuser behave properly. I'm not certain what is going on >with the outdated fc file - we currently generate that file in our >distribution of setools, but had been accidentally included an outdated >version with the source. Probably someone just copied that old file >(understandably). Hopefully we can get some of these fixes pushed out as an >update - is the appropriate process to enter a bugzilla case with a patch? > >Karl > >Karl MacMillan >Tresys Technology >http://www.tresys.com >(410)290-1411 ext 134 > >> ------- previously sent a minute or so ago -- >> >> You are further along .. >> >> I get >> >> [root@hoho2 user1]# date >> Mon May 24 13:16:52 CDT 2004 >> [root@hoho2 user1]# seuser show users >> Could not open policy.conf file >> [root@hoho2 user1]# >> >> I have FC2 installed clean with all updates (incl development) to this >> moment (except for ppp - which is having a problem independent of >> selinux). >> >> Booting with kernel boot parame 'selinux=1 enforcing=0' (not enforce=0..) >> The boot was done just after a run of '/sbin/fixfiles relabel' at init >> level 1. >> >> BobG >> >> >> On Mon, 24 May 2004 16:13:48 +0100, Anthony Pitt wrote: >> >Hi there, >> > I hope you can help. I've just installed 'Fedora COre2', with >> Selinux >> >enabled. >> >Using 'seuser' I created a new 'defined' selinux user, with user_r role >> >only. I also created the users /home/* directory under the same process. >> >I'm using the 'gnome' window manager interface. >> >Now when I try to log on with this new user, I get all sorts of errors to >> >do with the users environment, eventually allowing me a blank interface, >> >with 'right-click' functionality only. >> >Any ideas? >> >Tony. >> > >> >---------------------------------------------------------------------- >> >A D Pitt Ph:+44(0)1684 895757 >> >Rm B006 Woodward Building Fax:+44(0)1684 896660 >> >QinetiQ >email:t.pitt@xxxxxxxxxxxxxxxx >> >Malvern Technology Centre, >> >St Andrews Road >> >Malvern >> >Worcs. >> >WR14 3PS >> > >> >URL:http://www.qinetiq.com/home_enterprise_security.html >> >-- >> >fedora-selinux-list mailing list >> >fedora-selinux-list@xxxxxxxxxx >> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list > >-- >fedora-selinux-list mailing list >fedora-selinux-list@xxxxxxxxxx >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
