Steps to login with non-traditional selinux roles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm trying to set up a certain user to login with non-traditional
selinux roles (such as dbadm_u), but it does not work well.
Am I missing something?


[root@saba ~]# rpm -q selinux-policy
selinux-policy-3.7.15-4.fc13.noarch

[root@saba ~]# semanage user -a -R webadm_r webadm_u
[root@saba ~]# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
webadm_u        user       s0         s0                             webadm_r
xguest_u        user       s0         s0                             xguest_r

[root@saba ~]# semanage login -a -s webadm_u ymj
[root@saba ~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
ymj                       webadm_u                  s0

[root@saba ~]# cd /etc/selinux/targeted/contexts/users/
[root@saba users]# cat user_u | sed 's/user_/webadm_/g' > webadm_u
[root@saba users]# cat webadm_u
system_r:local_login_t:s0       webadm_r:webadm_t:s0
system_r:remote_login_t:s0      webadm_r:webadm_t:s0
system_r:sshd_t:s0              webadm_r:webadm_t:s0
system_r:crond_t:s0             webadm_r:webadm_t:s0
system_r:xdm_t:s0               webadm_r:webadm_t:s0
webadm_r:webadm_su_t:s0         webadm_r:webadm_t:s0
webadm_r:webadm_sudo_t:s0               webadm_r:webadm_t:s0
system_r:initrc_su_t:s0         webadm_r:webadm_t:s0
webadm_r:webadm_t:s0            webadm_r:webadm_t:s0

[root@saba users]# ssh ymj@localhost
ymj@localhost's password:
Last login: Thu Apr  8 09:12:43 2010 from localhost
Connection to localhost closed.

[root@saba users]# setenforce 0
[root@saba users]# ssh ymj@localhost
ymj@localhost's password:
Last login: Thu Apr  8 09:12:56 2010 from localhost
[ymj@saba ~]$ id -Z
system_u:system_r:unconfined_t:s0-s0:c0.c1023


With "semanage -BD", I could find the following avc denial audit logs
during above command execution, but it does not seem to me these
violations prevent ymj's login directly.

type=AVC msg=audit(1270685681.731:24535): avc:  denied  { rlimitinh } for  pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.731:24535): avc:  denied  { siginh } for  pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.731:24535): avc:  denied  { noatsecure } for  pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc:  denied  { rlimitinh } for  pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc:  denied  { siginh } for  pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc:  denied  { noatsecure } for  pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.770:24544): avc:  denied  { siginh } for  pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.770:24544): avc:  denied  { noatsecure } for  pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.925:24545): avc:  denied  { write } for  pid=17259 comm="setroubleshootd" name="rpm" dev=sda3 ino=180226 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1270685681.926:24546): avc:  denied  { write } for  pid=17259 comm="setroubleshootd" name="__db.001" dev=sda3 ino=180240 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file

I guess pam_selinux.so kills the connection due to lack of something to be
configured in enforcing mode.

Do you have any suggestion?
-- 
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux