Bob Gustafson wrote:
I found one more step to be done. You need to edit /usr/share/setools/seuser.conf and change the line for policy.conf toI think I followed your instructions, but got the same result as before. Maybe you can see where I went wrong.
This is my 'audit tape'
[root@hoho2 init.d]# cd /etc/security/selinux/src/policy [root@hoho2 policy]# ls -l | grep drw drwx------ 2 root root 4096 May 22 23:49 appconfig drwx------ 4 root root 4096 May 22 23:49 domains drwxr-xr-x 4 root root 4096 May 22 23:50 file_contexts drwx------ 2 root root 4096 May 22 23:49 flask drwx------ 3 root root 4096 May 22 23:49 macros drwxr-xr-x 2 root root 4096 May 22 23:49 tmp drwx------ 2 root root 4096 May 22 23:49 types
[root@hoho2 policy]# cd domains/program [root@hoho2 program]# ls -l total 1460 ,,, -rw------- 1 root root 349 May 11 10:03 screensaver.te -rw------- 1 root root 357 May 11 10:03 screen.te -rw------- 1 root root 3645 May 11 10:03 sendmail.te -rw------- 1 root root 2093 May 11 10:03 setfiles.te -rw------- 1 root root 1630 May 11 10:03 slapd.te ...
Not here - as expected.
[root@hoho2 program]#
[root@hoho2 program]# ls -l unused total 76 -rw------- 1 root root 13362 May 11 10:03 dpkg.te -rw------- 1 root root 1621 May 11 10:03 gatekeeper.te -rw------- 1 root root 7550 May 11 10:03 qmail.te -rw------- 1 root root 5283 May 11 10:03 seuser.te -rw------- 1 root root 1825 May 11 10:03 tinydns.te -rw------- 1 root root 1184 May 11 10:03 uml_net.te -rw------- 1 root root 2021 May 11 10:03 xprint.te
Step 1 - mv
[root@hoho2 program]# mv unused/seuser.te . [root@hoho2 program]#
[root@hoho2 program]# ls -l se* -rw------- 1 root root 3645 May 11 10:03 sendmail.te -rw------- 1 root root 2093 May 11 10:03 setfiles.te -rw------- 1 root root 5283 May 11 10:03 seuser.te
Now it is there
[root@hoho2 program]#
[root@hoho2 program]# cd .. [root@hoho2 domains]# cd .. [root@hoho2 policy]# cd file_contexts [root@hoho2 file_contexts]# ls file_contexts misc program types.fc
[root@hoho2 file_contexts]# cd programs bash: cd: programs: No such file or directory
[root@hoho2 file_contexts]# cd program [root@hoho2 program]# pwd /etc/security/selinux/src/policy/file_contexts/program
[root@hoho2 program]# vim seuser.fc
Step 2 - edit
[root@hoho2 program]# cat seuser.fc # seuser /usr/bin/seuser system_u:object_r:seuser_exec_t /usr/share/setools/seuser.conf system_u:object_r:seuser_conf_t
[root@hoho2 program]# cd /usr/share/setools [root@hoho2 setools]# ls -l seuser* -rw-r--r-- 1 root root 1808 Apr 19 19:50 seuser.conf -rw-r--r-- 1 root root 8980 Apr 19 19:50 seuser_help.txt [root@hoho2 setools]#
Step 3 - remake and reload
[root@hoho2 program]# cd /etc/security/selinux/src/policy
[root@hoho2 policy]# make 2>&1 | tee make.out ... ... > policy.conf.tmp mv policy.conf.tmp policy.conf mkdir -p /etc/security/selinux /usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf security: 5 users, 7 roles, 1252 types, 1 bools security: 30 classes, 305363 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 17) to /etc/security/selinux/policy.17 Building file_contexts ... install -m 644 file_contexts/file_contexts /etc/security/selinux/file_contexts
[root@hoho2 policy]# make reload 2>&1 | tee reload.out /usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers` touch tmp/load [root@hoho2 policy]#
[root@hoho2 setools]# cd /etc/security/selinux [root@hoho2 selinux]# ls -l total 29196 -rw-r--r-- 1 root root 87206 May 24 20:12 file_contexts -rw-r--r-- 1 root root 88310 May 11 10:03 file_contexts.rpmnew -rw-r--r-- 1 root root 7383775 May 20 21:37 policy.15.rpmsave -rw-r--r-- 1 root root 7385512 May 20 21:37 policy.16.rpmsave -rw-r--r-- 1 root root 7434273 May 24 20:12 policy.17 -rw-r--r-- 1 root root 7409751 May 11 10:03 policy.17.rpmnew drwx------ 3 root root 4096 May 11 10:03 src [root@hoho2 selinux]#
policy.17 seems to have changed as expected
Setp 4 - run restorecon
[root@hoho2 policy]# /sbin/restorecon -v /usr/bin/seuser /sbin/restorecon set context /usr/bin/seuser->system_u:object_r:seuser_exec_t
[root@hoho2 policy]# /sbin/restorecon -v /usr/share/setools/seuser.conf /sbin/restorecon set context /usr/share/setools/seuser.conf->system_u:object_r:seuser_conf_t [root@hoho2 policy]#
Step 5 - test
[root@hoho2 policy]# which seuser /usr/bin/seuser
[root@hoho2 policy]# date Mon May 24 20:26:29 CDT 2004
[root@hoho2 policy]# seuser show users Could not open policy.conf file [root@hoho2 policy]# seuser show Could not open policy.conf file
Step 6 - extra information ?
[root@hoho2 policy]# [root@hoho2 policy]# ls -l /usr/bin/seuser -rwxr-xr-x 1 root root 106960 Apr 19 19:50 /usr/bin/seuser [root@hoho2 policy]#
On Mon, 24 May 2004 17:33:24 -0400, Kerl MacMillan wrote:
-----Original Message----- From: fedora-selinux-list-bounces@xxxxxxxxxx [mailto:fedora-selinux-list- bounces@xxxxxxxxxx] On Behalf Of Bob Gustafson Sent: Monday, May 24, 2004 2:33 PM To: t.pitt@xxxxxxxxxxxxxxxx; Fedora SELinux support list for users & developers. Subject: Re: New user
Some added information
[root@hoho2 user1]# ls -lZ /etc/security/selinux/src/policy/policy.conf -rw-r--r--+ root root system_u:object_r:policy_src_t /etc/security/selinux/src/policy/policy.conf
[root@hoho2 user1]# cat /proc/version Linux version 2.6.6-1.377smp (bhcompile@xxxxxxxxxxxxxxxxxxxxxxx) (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) #1 SMP Sat May 22 15:16:37 EDT 2004
[root@hoho2 user1]# which seuser /usr/bin/seuser
[root@hoho2 user1]# ls -lZ /usr/bin/seuser -rwxr-xr-x+ root root system_u:object_r:bin_t /usr/bin/seuser [root@hoho2 user1]#
This is part of the problem - seuser runs in its own domain so the binary needs to be labeled seuser_exec_t. Unfortunately it looks like seuser is quite broken on FC2. You can fix it by:
1) mv /etc/security/selinux/src/policy/domains/program/unused/seuser.te to etc/security/selinux/src/policy/domains/program/seuser.te.
2) edit /etc/security/selinux/src/policy/file_contexts/programs/seuser.fc changing "/usr/apol/seuser.conf" to "/usr/share/setools/seuser.conf".
3) remake and reload the policy.
4) run restorecon on /usr/bin/seuser and /usr/share/setools/seuser.conf
This should make seuser behave properly. I'm not certain what is going on with the outdated fc file - we currently generate that file in our distribution of setools, but had been accidentally included an outdated version with the source. Probably someone just copied that old file (understandably). Hopefully we can get some of these fixes pushed out as an update - is the appropriate process to enter a bugzilla case with a patch?
Karl
Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134
------- previously sent a minute or so ago --
You are further along ..
I get
[root@hoho2 user1]# date Mon May 24 13:16:52 CDT 2004 [root@hoho2 user1]# seuser show users Could not open policy.conf file [root@hoho2 user1]#
I have FC2 installed clean with all updates (incl development) to this moment (except for ppp - which is having a problem independent of selinux).
Booting with kernel boot parame 'selinux=1 enforcing=0' (not enforce=0..) The boot was done just after a run of '/sbin/fixfiles relabel' at init level 1.
BobG
On Mon, 24 May 2004 16:13:48 +0100, Anthony Pitt wrote:
Hi there, I hope you can help. I've just installed 'Fedora COre2', with
Selinux
enabled. Using 'seuser' I created a new 'defined' selinux user, with user_r role only. I also created the users /home/* directory under the same process. I'm using the 'gnome' window manager interface. Now when I try to log on with this new user, I get all sorts of errors to do with the users environment, eventually allowing me a blank interface, with 'right-click' functionality only. Any ideas? Tony.
---------------------------------------------------------------------- A D Pitt Ph:+44(0)1684 895757 Rm B006 Woodward Building Fax:+44(0)1684 896660 QinetiQ
email:t.pitt@xxxxxxxxxxxxxxxx
Malvern Technology Centre, St Andrews Road Malvern Worcs. WR14 3PS
URL:http://www.qinetiq.com/home_enterprise_security.html -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
/etc/security/selinux/src/policy/policy.conf
i.e adding the /policy/ after src HTH Richard Hally
