Richard Hally wrote: >Bob Gustafson wrote: > >> I think I followed your instructions, but got the same result as before. >> Maybe you can see where I went wrong. >> >> This is my 'audit tape' >> >> [root@hoho2 init.d]# cd /etc/security/selinux/src/policy >> [root@hoho2 policy]# ls -l | grep drw >> drwx------ 2 root root 4096 May 22 23:49 appconfig >> drwx------ 4 root root 4096 May 22 23:49 domains >> drwxr-xr-x 4 root root 4096 May 22 23:50 file_contexts >> drwx------ 2 root root 4096 May 22 23:49 flask >> drwx------ 3 root root 4096 May 22 23:49 macros >> drwxr-xr-x 2 root root 4096 May 22 23:49 tmp >> drwx------ 2 root root 4096 May 22 23:49 types >> >> [root@hoho2 policy]# cd domains/program >> [root@hoho2 program]# ls -l >> total 1460 >> ,,, >> -rw------- 1 root root 349 May 11 10:03 screensaver.te >> -rw------- 1 root root 357 May 11 10:03 screen.te >> -rw------- 1 root root 3645 May 11 10:03 sendmail.te >> -rw------- 1 root root 2093 May 11 10:03 setfiles.te >> -rw------- 1 root root 1630 May 11 10:03 slapd.te >> ... >> >> Not here - as expected. >> >> [root@hoho2 program]# >> >> [root@hoho2 program]# ls -l unused >> total 76 >> -rw------- 1 root root 13362 May 11 10:03 dpkg.te >> -rw------- 1 root root 1621 May 11 10:03 gatekeeper.te >> -rw------- 1 root root 7550 May 11 10:03 qmail.te >> -rw------- 1 root root 5283 May 11 10:03 seuser.te >> -rw------- 1 root root 1825 May 11 10:03 tinydns.te >> -rw------- 1 root root 1184 May 11 10:03 uml_net.te >> -rw------- 1 root root 2021 May 11 10:03 xprint.te >> >> Step 1 - mv >> >> [root@hoho2 program]# mv unused/seuser.te . >> [root@hoho2 program]# >> >> [root@hoho2 program]# ls -l se* >> -rw------- 1 root root 3645 May 11 10:03 sendmail.te >> -rw------- 1 root root 2093 May 11 10:03 setfiles.te >> -rw------- 1 root root 5283 May 11 10:03 seuser.te >> >> Now it is there >> >> [root@hoho2 program]# >> >> >> [root@hoho2 program]# cd .. >> [root@hoho2 domains]# cd .. >> [root@hoho2 policy]# cd file_contexts >> [root@hoho2 file_contexts]# ls >> file_contexts misc program types.fc >> >> [root@hoho2 file_contexts]# cd programs >> bash: cd: programs: No such file or directory >> >> [root@hoho2 file_contexts]# cd program >> [root@hoho2 program]# pwd >> /etc/security/selinux/src/policy/file_contexts/program >> >> [root@hoho2 program]# vim seuser.fc >> >> Step 2 - edit >> >> [root@hoho2 program]# cat seuser.fc >> # seuser >> /usr/bin/seuser system_u:object_r:seuser_exec_t >> /usr/share/setools/seuser.conf system_u:object_r:seuser_conf_t >> >> [root@hoho2 program]# cd /usr/share/setools >> [root@hoho2 setools]# ls -l seuser* >> -rw-r--r-- 1 root root 1808 Apr 19 19:50 seuser.conf >> -rw-r--r-- 1 root root 8980 Apr 19 19:50 seuser_help.txt >> [root@hoho2 setools]# >> >> Step 3 - remake and reload >> >> [root@hoho2 program]# cd /etc/security/selinux/src/policy >> >> [root@hoho2 policy]# make 2>&1 | tee make.out >> ... >> ... >> > policy.conf.tmp >> mv policy.conf.tmp policy.conf >> mkdir -p /etc/security/selinux >> /usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf >> /usr/bin/checkpolicy: loading policy configuration from policy.conf >> security: 5 users, 7 roles, 1252 types, 1 bools >> security: 30 classes, 305363 rules >> /usr/bin/checkpolicy: policy configuration loaded >> /usr/bin/checkpolicy: writing binary representation (version 17) to >> /etc/security/selinux/policy.17 >> Building file_contexts ... >> install -m 644 file_contexts/file_contexts >>/etc/security/selinux/file_contexts >> >> >> [root@hoho2 policy]# make reload 2>&1 | tee reload.out >> /usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers` >> touch tmp/load >> [root@hoho2 policy]# >> >> [root@hoho2 setools]# cd /etc/security/selinux >> [root@hoho2 selinux]# ls -l >> total 29196 >> -rw-r--r-- 1 root root 87206 May 24 20:12 file_contexts >> -rw-r--r-- 1 root root 88310 May 11 10:03 file_contexts.rpmnew >> -rw-r--r-- 1 root root 7383775 May 20 21:37 policy.15.rpmsave >> -rw-r--r-- 1 root root 7385512 May 20 21:37 policy.16.rpmsave >> -rw-r--r-- 1 root root 7434273 May 24 20:12 policy.17 >> -rw-r--r-- 1 root root 7409751 May 11 10:03 policy.17.rpmnew >> drwx------ 3 root root 4096 May 11 10:03 src >> [root@hoho2 selinux]# >> >> policy.17 seems to have changed as expected >> >> Setp 4 - run restorecon >> >> [root@hoho2 policy]# /sbin/restorecon -v /usr/bin/seuser >> /sbin/restorecon set context >>/usr/bin/seuser->system_u:object_r:seuser_exec_t >> >> [root@hoho2 policy]# /sbin/restorecon -v /usr/share/setools/seuser.conf >> /sbin/restorecon set context >> /usr/share/setools/seuser.conf->system_u:object_r:seuser_conf_t >> [root@hoho2 policy]# >> >> Step 5 - test >> >> [root@hoho2 policy]# which seuser >> /usr/bin/seuser >> >> [root@hoho2 policy]# date >> Mon May 24 20:26:29 CDT 2004 >> >> [root@hoho2 policy]# seuser show users >> Could not open policy.conf file >> [root@hoho2 policy]# seuser show >> Could not open policy.conf file >> >> Step 6 - extra information ? >> >> [root@hoho2 policy]# >> [root@hoho2 policy]# ls -l /usr/bin/seuser >> -rwxr-xr-x 1 root root 106960 Apr 19 19:50 /usr/bin/seuser >> [root@hoho2 policy]# >> >> >> On Mon, 24 May 2004 17:33:24 -0400, Kerl MacMillan wrote: >> >>>>-----Original Message----- >>>>From: fedora-selinux-list-bounces@xxxxxxxxxx [mailto:fedora-selinux-list- >>>>bounces@xxxxxxxxxx] On Behalf Of Bob Gustafson >>>>Sent: Monday, May 24, 2004 2:33 PM >>>>To: t.pitt@xxxxxxxxxxxxxxxx; Fedora SELinux support list for users & >>>>developers. >>>>Subject: Re: New user >>>> >>>>Some added information >>>> >>>> [root@hoho2 user1]# ls -lZ /etc/security/selinux/src/policy/policy.conf >>>>-rw-r--r--+ root root >>>> system_u:object_r:policy_src_t >>>>/etc/security/selinux/src/policy/policy.conf >>>> >>>> [root@hoho2 user1]# cat /proc/version >>>> Linux version 2.6.6-1.377smp (bhcompile@xxxxxxxxxxxxxxxxxxxxxxx) (gcc >>>>version 3.3.3 20040412 (Red Hat >>>> Linux 3.3.3-7)) #1 SMP Sat May 22 15:16:37 EDT 2004 >>>> >>>> [root@hoho2 user1]# which seuser >>>> /usr/bin/seuser >>>> >>>> [root@hoho2 user1]# ls -lZ /usr/bin/seuser -rwxr-xr-x+ root root >>>>system_u:object_r:bin_t >>>> /usr/bin/seuser >>>> [root@hoho2 user1]# >>>> >>> >>>This is part of the problem - seuser runs in its own domain so the binary >>>needs to be labeled seuser_exec_t. Unfortunately it looks like seuser is >>>quite broken on FC2. You can fix it by: >>> >>>1) mv /etc/security/selinux/src/policy/domains/program/unused/seuser.te to >>>etc/security/selinux/src/policy/domains/program/seuser.te. >>> >>>2) edit /etc/security/selinux/src/policy/file_contexts/programs/seuser.fc >>>changing "/usr/apol/seuser.conf" to "/usr/share/setools/seuser.conf". >>> >>>3) remake and reload the policy. >>> >>>4) run restorecon on /usr/bin/seuser and /usr/share/setools/seuser.conf >>> >>>This should make seuser behave properly. I'm not certain what is going on >>>with the outdated fc file - we currently generate that file in our >>>distribution of setools, but had been accidentally included an outdated >>>version with the source. Probably someone just copied that old file >>>(understandably). Hopefully we can get some of these fixes pushed out as an >>>update - is the appropriate process to enter a bugzilla case with a patch? >>> >>>Karl >>> >>>Karl MacMillan >>>Tresys Technology >>>http://www.tresys.com >>>(410)290-1411 ext 134 >>> >>> >>>>------- previously sent a minute or so ago -- >>>> >>>>You are further along .. >>>> >>>>I get >>>> >>>> [root@hoho2 user1]# date >>>> Mon May 24 13:16:52 CDT 2004 >>>> [root@hoho2 user1]# seuser show users >>>> Could not open policy.conf file >>>> [root@hoho2 user1]# >>>> >>>>I have FC2 installed clean with all updates (incl development) to this >>>>moment (except for ppp - which is having a problem independent of >>>>selinux). >>>> >>>>Booting with kernel boot parame 'selinux=1 enforcing=0' (not enforce=0..) >>>>The boot was done just after a run of '/sbin/fixfiles relabel' at init >>>>level 1. >>>> >>>>BobG >>>> >>>> >>>>On Mon, 24 May 2004 16:13:48 +0100, Anthony Pitt wrote: >>>> >>>>>Hi there, >>>>> I hope you can help. I've just installed 'Fedora COre2', with >>>> >>>>Selinux >>>> >>>>>enabled. >>>>>Using 'seuser' I created a new 'defined' selinux user, with user_r role >>>>>only. I also created the users /home/* directory under the same process. >>>>>I'm using the 'gnome' window manager interface. >>>>>Now when I try to log on with this new user, I get all sorts of errors to >>>>>do with the users environment, eventually allowing me a blank interface, >>>>>with 'right-click' functionality only. >>>>>Any ideas? >>>>>Tony. >>>>> >>>>>---------------------------------------------------------------------- >>>>>A D Pitt Ph:+44(0)1684 895757 >>>>>Rm B006 Woodward Building Fax:+44(0)1684 896660 >>>>>QinetiQ >>> >>>email:t.pitt@xxxxxxxxxxxxxxxx >>> >>>>>Malvern Technology Centre, >>>>>St Andrews Road >>>>>Malvern >>>>>Worcs. >>>>>WR14 3PS >>>>> >>>>>URL:http://www.qinetiq.com/home_enterprise_security.html >>>>>-- >>>>>fedora-selinux-list mailing list >>>>>fedora-selinux-list@xxxxxxxxxx >>>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>>-- >>>>fedora-selinux-list mailing list >>>>fedora-selinux-list@xxxxxxxxxx >>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>>-- >>>fedora-selinux-list mailing list >>>fedora-selinux-list@xxxxxxxxxx >>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >I found one more step to be done. You need to edit >/usr/share/setools/seuser.conf and change the line for policy.conf to >/etc/security/selinux/src/policy/policy.conf > >i.e adding the /policy/ after src >HTH >Richard Hally > >-- >fedora-selinux-list mailing list >fedora-selinux-list@xxxxxxxxxx >http://www.redhat.com/mailman/listinfo/fedora-selinux-list OK, cool - that did it. (wasn't this an old bug?) [root@hoho2 setools]# vim seuser.conf [root@hoho2 setools]# date Tue May 25 00:58:56 CDT 2004 [root@hoho2 setools]# seuser show users system_u: system_r user_u: user_r sysadm_r system_r root: staff_r sysadm_r system_r cyrus: cyrus_r mailman: mailman_r [root@hoho2 setools]#
