On 09/15/2009 09:57 AM, Roberto Sassu wrote: > Hello all > > i'm new to SELinux. I'm trying to create per-user domains in a system running > Fedora 11 with the targeted policy enabled. The reason for that is that i need > to create transitions to different domains when users start the same > application. > I followed these steps: > - written my custom policy module(posted as attachment) in order to create new > roles user1_r, user2_r with the default domains user1_t and user2_t; > - added to the system new selinux users user1_u and user2_u; > - added to the system the new linux users user1 and user2; > - associated user1 with user1_u and user2 with user2_u; > - labeled home directories respectively with types user1_home_t and > user2_home_t > - created the two files user1_u and user2_u in > /etc/selinux/targeted/contexts/users; > > Then i tried to connect in local to the ssh server from root to the user1 but > it rejected the connection with this log messages (but no AVC warnings): > > Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port > 53163 ssh2 > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation > failed > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to > query: Would you like to enter a security context? [N] > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get > valid context for user1 > Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened > for user user1 by (uid=0) > Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): > Authentication failure > Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: > security_compute_relabel: Invalid argument > > If putting the system in permissive mode the connection was successful but the > security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023 > Any suggestions? Thanks in advance. > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You probably need to create /etc/selinux/targeted/context/user1 and user2 Base these off of xguest I am not crazy about having home content variable between users, I think this is a waste of time. Others disagree. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
