Hi...
Now I am trying to configuring RBAC using MLS (Multilevel Security) Policy for fedora 8.
Because i have read danwalsh jornal he side MLS policy is more use full for RBAC.
http://danwalsh.livejournal.com/?skip=40
Using RBAC In FC5/MLS Policy
So i am using MLS policy for RBAC. Here i have installed MLS packages and changed to targeted policy in to mls policy.
Then i have configured the roles for users but i couldn't set the roles because when i am setting the roles it will display the error message.
Steps to reproduce:
1) Adding the SELinux audit user using semanage command.
# semanage user -a -R staff_r -R auditadm_r -P staff audit_u
2) Here i am checking SELinux user.
[root@turtle2 ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
audit_u staff SystemLow SystemLow staff_r auditadm_r
root sysadm SystemLow SystemLow:SystemLow-SystemHigh system_r sysadm_r staff_r secadm_r auditadm_r
staff_u staff SystemLow SystemLow:SystemLow-SystemHigh sysadm_r staff_r secadm_r auditadm_r
sysadm_u sysadm SystemLow SystemLow:SystemLow-SystemHigh sysadm_r
system_u user SystemLow SystemLow:SystemLow-SystemHigh system_r
user_u user SystemLow SystemLow system_r user_r
[root@turtle2 ~]#
3) Now i am setting the Linux user to SELinux users, when i am setting the
SELinux user it will throw the error message as follows.
[root@turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh prakash
libsemanage.validate_handler: selinux user audit does not exist No such file or directory.
libsemanage.validate_handler: seuser mapping [prakash -> (audit, s0-s15:c0.c1023)] is invalid No such file or directory.
libsemanage.dbase_llist_iterate: could not iterate over records No such file or directory.
/usr/sbin/semanage: Could not add login mapping for prakash
[root@turtle2 ~]#
4) I am using sysadm_r root information as follows
[root@turtle2 ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh
[root@turtle2 ~]#
5) This is i am getting audit log messages using ausearch command.
[root@turtle2 ~]# ausearch -i -m AVC -sv no
type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386 syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808 a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=gam_server exe=/usr/libexec/gam_server subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc: denied { read } for pid=2060 comm=gam_server path=inotify dev=inotifyfs ino=1 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
I don't know why its throwing this error. I have searched in to google but i couldn't find.
Please help me what should i do.
Thanks,
Prakash
Now I am trying to configuring RBAC using MLS (Multilevel Security) Policy for fedora 8.
Because i have read danwalsh jornal he side MLS policy is more use full for RBAC.
http://danwalsh.livejournal.com/?skip=40
Using RBAC In FC5/MLS Policy
So i am using MLS policy for RBAC. Here i have installed MLS packages and changed to targeted policy in to mls policy.
Then i have configured the roles for users but i couldn't set the roles because when i am setting the roles it will display the error message.
Steps to reproduce:
1) Adding the SELinux audit user using semanage command.
# semanage user -a -R staff_r -R auditadm_r -P staff audit_u
[root@turtle2 ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
audit_u staff SystemLow SystemLow staff_r auditadm_r
root sysadm SystemLow SystemLow:SystemLow-SystemHigh system_r sysadm_r staff_r secadm_r auditadm_r
staff_u staff SystemLow SystemLow:SystemLow-SystemHigh sysadm_r staff_r secadm_r auditadm_r
sysadm_u sysadm SystemLow SystemLow:SystemLow-SystemHigh sysadm_r
system_u user SystemLow SystemLow:SystemLow-SystemHigh system_r
user_u user SystemLow SystemLow system_r user_r
[root@turtle2 ~]#
[root@turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh prakash
libsemanage.validate_handler: selinux user audit does not exist No such file or directory.
libsemanage.validate_handler: seuser mapping [prakash -> (audit, s0-s15:c0.c1023)] is invalid No such file or directory.
libsemanage.dbase_llist_iterate: could not iterate over records No such file or directory.
/usr/sbin/semanage: Could not add login mapping for prakash
[root@turtle2 ~]#
4) I am using sysadm_r root information as follows
[root@turtle2 ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh
[root@turtle2 ~]#
5) This is i am getting audit log messages using ausearch command.
[root@turtle2 ~]# ausearch -i -m AVC -sv no
type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386 syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808 a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=gam_server exe=/usr/libexec/gam_server subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc: denied { read } for pid=2060 comm=gam_server path=inotify dev=inotifyfs ino=1 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
Please help me what should i do.
Thanks,
Prakash
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
