-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/15/2010 04:58 PM, Radha Venkatesh (radvenka) wrote: > > Dan, > > I have created SeLinux users which can take on roles of system_r and > sysadm_r and tied them the Linux users created (though they are > nologin). This is needed so that these linux users can execute > applications in our product taking on system_r or sysadm_r roles. > > Thanks, > Radha. Right but how do they get logged on to the machine? > > -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] > Sent: Friday, October 15, 2010 12:53 PM > To: Radha Venkatesh (radvenka) > Cc: fedora-selinux-list@xxxxxxxxxx > Subject: Re: Addition of selinux users causes "Multiple same > specifications" warnings during startup > > On 10/15/2010 03:27 PM, Radha Venkatesh (radvenka) wrote: > >> Dan, > >> These users do not login to the system and their shells are already >> set to /sbin/nologin. > >> Thanks, >> Radha. > > Then why are you assigning user context to the accounts. genhomedircon > must have a bug in that it is ignoring the shell if the user has an > assigned seusers label. > >> -----Original Message----- >> From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] >> Sent: Friday, October 15, 2010 12:18 PM >> To: Radha Venkatesh (radvenka) >> Cc: fedora-selinux-list@xxxxxxxxxx >> Subject: Re: Addition of selinux users causes "Multiple same >> specifications" warnings during startup > >> On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote: > >>> Yes, for security reasons, /dev/null is being used as the homedir for > >>> users in our product. > >>> Thanks, >>> Radha. > >>> -----Original Message----- >>> From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] >>> Sent: Friday, October 15, 2010 12:02 PM >>> To: Radha Venkatesh (radvenka) >>> Cc: fedora-selinux-list@xxxxxxxxxx >>> Subject: Re: Addition of selinux users causes "Multiple same >>> specifications" warnings during startup > >>> On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote: >>>> I have created SeLinux users using "semanage user" and tied the >>>> SeLinux users to Linux users using "semanage login". I find that on >>>> startup, there are several warnings thrown for "Multiple same >>> specifications". >>>> Below is an example > >>>> /etc/selinux/strict/contexts/files/file_contexts: Multiple same >>>> specifications for /dev/null/\.screenrc > >>>> I then checked and found that file_contexts has > >>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>> specialuser_u:object_r:user_screen_ro_home_t:s0 >>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>> specialuser_u:object_r:user_screen_ro_home_t:s0 > >>>> Looks like there is an entry for every Linux user I tied to the >>>> SeLinux user. > >>>> I am using > >>>> libselinux-1.33.4-5.5.el5 >>>> libsemanage-1.9.1-4.4.el5 >>>> policycoreutils-1.33.12-14.8.el5 >>>> libsepol-1.15.2-3.el5 > >>>> and do not have an option to move to later releases. > >>>> Is there a way for me to get rid of these warnings or suppress them, > >>>> without changing the source code provided by RedHat? > >>>> Thanks, >>>> Radha. > > > > > > > >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> This looks like /dev/null is defined as a homedir? - -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky4w9AACgkQrlYvE4MpobMupQCdFmM4qMTbQ0mUyVdJ164KO7H7 Uw4AoJsRbeMfRbJsBsNd1Ab0Qny7Jc7B =yB73 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux