On Sun, 2008-06-15 at 22:06 +0530, prakash hallalli wrote: > Hi... > > Now I am trying to configuring RBAC using MLS (Multilevel Security) > Policy for fedora 8. > Because i have read danwalsh jornal he side MLS policy is more use > full for RBAC. Again, to clarify, you don't have to use MLS policy if all you want is roles. And Fedora 9 is the latest release of Fedora. > http://danwalsh.livejournal.com/?skip=40 > Using RBAC In FC5/MLS Policy > > So i am using MLS policy for RBAC. Here i have installed MLS packages > and changed to targeted policy in to mls policy. > Then i have configured the roles for users but i couldn't set the > roles because when i am setting the roles it will display the error > message. > > Steps to reproduce: > > 1) Adding the SELinux audit user using semanage command. > > # semanage user -a -R staff_r -R auditadm_r -P staff audit_u > > 2) Here i am checking SELinux user. > > [root@turtle2 ~]# semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range > SELinux Roles > > audit_u staff SystemLow SystemLow > staff_r auditadm_r > root sysadm SystemLow SystemLow:SystemLow-SystemHigh > system_r sysadm_r staff_r secadm_r auditadm_r > staff_u staff SystemLow SystemLow:SystemLow-SystemHigh > sysadm_r staff_r secadm_r auditadm_r > sysadm_u sysadm SystemLow SystemLow:SystemLow-SystemHigh > sysadm_r > system_u user SystemLow SystemLow:SystemLow-SystemHigh > system_r > user_u user SystemLow SystemLow > system_r user_r > [root@turtle2 ~]# > > 3) Now i am setting the Linux user to SELinux users, when i am setting > the SELinux user it will throw the error message as follows. > > [root@turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh > prakash > libsemanage.validate_handler: selinux user audit does not exist No > such file or directory. > libsemanage.validate_handler: seuser mapping [prakash -> (audit, > s0-s15:c0.c1023)] is invalid No such file or directory. > libsemanage.dbase_llist_iterate: could not iterate over records No > such file or directory. > /usr/sbin/semanage: Could not add login mapping for prakash > [root@turtle2 ~]# You typed "audit" rather than "audit_u" above. Looks like a typo in the blog. > > 4) I am using sysadm_r root information as follows > > [root@turtle2 ~]# id > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh > [root@turtle2 ~]# > > 5) This is i am getting audit log messages using ausearch command. > > [root@turtle2 ~]# ausearch -i -m AVC -sv no > type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386 > syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808 > a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root > euid=root suid=root fsuid=root egid=root sgid=root fsgid=root > tty=(none) comm=gam_server exe=/usr/libexec/gam_server > subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) > type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc: denied > { read } for pid=2060 comm=gam_server path=inotify dev=inotifyfs > ino=1 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > > I don't know why its throwing this error. I have searched in to google > but i couldn't find. > > Please help me what should i do. > > Thanks, > Prakash > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
