I have to configure the Role-based access control (RBAC) for smbldap user.
How should i set the roles for users and which policy i should use?
Now i am using MLS Policy for configure the RBAC.
I am not sure this the correct way for configure the RBAC on CentOS 5.1.
Please help me what i am going wrong.
Thanks,
Prakash,
On Wed, Jun 11, 2008 at 8:38 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
As others noted, this should have been touch /.autorelabel, not
On Wed, 2008-06-11 at 20:32 +0530, prakash hallalli wrote:
> HI ALL
> I have configured SELinux on ContOS 5.1. I have configured the RBAC
> using MLS (Multilevel Security) Policy using enforcing mode. I am
> trying to restart the system services and they are not restarting and
> it is throwing some error message.
>
> Steps to reproduce:
>
> 1 ) MLS Policy configuration.
>
> 1. Install selinux-policy-mls
> 2. Set SELINUXTYPE=MLS in /etc/selinux/config file
> 3. touch ./autorelabel; on root's home directory, and reboot the
> machine.
touch ./autorelabel on root's home directory. But I don't think that is
relevant any more - you already manually relabeled.
This implies that the existing policy isn't allowing these domains to do
> 4. While machine is rebooting, change the GRUB parameter.
> enforcing=0
>
> 2) Now system is in permissive mode and SELinux status is as follows.
>
> [root@turtle11 ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: mls
>
> 3) Restart the system services and they restart successfully.
>
> [root@turtle11 ~]# service nfs restart
> Shutting down NFS mountd: [ OK ]
> Shutting down NFS daemon: [ OK ]
> Shutting down NFS quotas: [ OK ]
> Shutting down NFS services: [ OK ]
> Starting NFS services: [
> OK ]
> Starting NFS quotas: [
> OK ]
> Starting NFS daemon: [ OK ]
> Starting NFS mountd: [ OK ]
>
> 3) Now i am setting enforcing mode using setenforce command.
>
> root@turtle11 ~]#setenforce 1
> root@turtle11 ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: mls
>
> 4) a) Now system is in enforcing mode and i am trying to restart the
> system service. The restart will result in error message.
>
> [root@turtle11 ~]# service nfs restart
> nfs: unrecognized service
>
> [root@turtle11 ~]# run_init /etc/init.d/nfs restart
> Authenticating root.
> Password: XXXXXX
> run_init: incorrect password for root
> authentication failed.
> [root@turtle11 ~]#
>
> [root@turtle11 ~]# run_init /etc/init.d/ldap restart
> Authenticating root.
> Password: XXXXXX
> run_init: incorrect password for root
> authentication failed.
what they need to perform the authentication. Elsewhere you said you
are using ldap, so they may need additional permissions for the network
lookup.
On this one, as I said, dhcpd shouldn't be running in sysadm_t.
> 5) I am using sysadm_r
>
> [root@turtle11 ~]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh
> [root@turtle11 ~]#
>
> 6) This is i am getting /sbin/ausearch log messages.
>
> [root@turtle11 ~]#/sbin/ausearch -i -m AVC -sv no
> type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64
> syscall=recvfrom success=no exit=-13(Permission denied) a0=5
> a1=7fff60825b40 a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=(none) comm=dhcpd exe=/usr/sbin/dhcpd
> subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
> type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc: denied
> { read } for pid=3103 comm=dhcpd lport=1
> scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
> tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket
How did you start it?
--
Stephen Smalley
National Security Agency
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
