-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/18/2010 12:38 PM, Radha Venkatesh (radvenka) wrote: > > Dan, > > Clarifying my email / question further - The login is as an admin user, > and su / sudo is done to execute the applications as these users > mentioned below (nologin users). What action can I take to prevent the > warnings for multiple specifications? > > Thanks, > Radha. > > -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] > Sent: Friday, October 15, 2010 2:13 PM > To: Radha Venkatesh (radvenka) > Cc: fedora-selinux-list@xxxxxxxxxx > Subject: Re: Addition of selinux users causes "Multiple same > specifications" warnings during startup > > On 10/15/2010 04:58 PM, Radha Venkatesh (radvenka) wrote: > >> Dan, > >> I have created SeLinux users which can take on roles of system_r and >> sysadm_r and tied them the Linux users created (though they are >> nologin). This is needed so that these linux users can execute >> applications in our product taking on system_r or sysadm_r roles. > >> Thanks, >> Radha. > > Right but how do they get logged on to the machine? > >> -----Original Message----- >> From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] >> Sent: Friday, October 15, 2010 12:53 PM >> To: Radha Venkatesh (radvenka) >> Cc: fedora-selinux-list@xxxxxxxxxx >> Subject: Re: Addition of selinux users causes "Multiple same >> specifications" warnings during startup > >> On 10/15/2010 03:27 PM, Radha Venkatesh (radvenka) wrote: > >>> Dan, > >>> These users do not login to the system and their shells are already >>> set to /sbin/nologin. > >>> Thanks, >>> Radha. > >> Then why are you assigning user context to the accounts. >> genhomedircon must have a bug in that it is ignoring the shell if the >> user has an assigned seusers label. > >>> -----Original Message----- >>> From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] >>> Sent: Friday, October 15, 2010 12:18 PM >>> To: Radha Venkatesh (radvenka) >>> Cc: fedora-selinux-list@xxxxxxxxxx >>> Subject: Re: Addition of selinux users causes "Multiple same >>> specifications" warnings during startup > >>> On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote: > >>>> Yes, for security reasons, /dev/null is being used as the homedir >>>> for > >>>> users in our product. > >>>> Thanks, >>>> Radha. > >>>> -----Original Message----- >>>> From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] >>>> Sent: Friday, October 15, 2010 12:02 PM >>>> To: Radha Venkatesh (radvenka) >>>> Cc: fedora-selinux-list@xxxxxxxxxx >>>> Subject: Re: Addition of selinux users causes "Multiple same >>>> specifications" warnings during startup > >>>> On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote: >>>>> I have created SeLinux users using "semanage user" and tied the >>>>> SeLinux users to Linux users using "semanage login". I find that on > >>>>> startup, there are several warnings thrown for "Multiple same >>>> specifications". >>>>> Below is an example > >>>>> /etc/selinux/strict/contexts/files/file_contexts: Multiple same >>>>> specifications for /dev/null/\.screenrc > >>>>> I then checked and found that file_contexts has > >>>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >>>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >>>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>>> specialuser_u:object_r:user_screen_ro_home_t:s0 >>>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >>>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>>> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >>>>> file_contexts.homedirs:/dev/null/\.screenrc -- >>>>> specialuser_u:object_r:user_screen_ro_home_t:s0 > >>>>> Looks like there is an entry for every Linux user I tied to the >>>>> SeLinux user. > >>>>> I am using > >>>>> libselinux-1.33.4-5.5.el5 >>>>> libsemanage-1.9.1-4.4.el5 >>>>> policycoreutils-1.33.12-14.8.el5 >>>>> libsepol-1.15.2-3.el5 > >>>>> and do not have an option to move to later releases. > >>>>> Is there a way for me to get rid of these warnings or suppress >>>>> them, > >>>>> without changing the source code provided by RedHat? > >>>>> Thanks, >>>>> Radha. > > > > > > > >>>>> -- >>>>> selinux mailing list >>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> This looks like /dev/null is defined as a homedir? - -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux Yes if a user never logs into a system there is no reason to associate a login record to that account. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky8flMACgkQrlYvE4MpobNSLgCgggWlqEu6gnreogFt6NoO6mTd L3AAn2x8EmkOUhP1TlbH75I86QxHMvux =jJ+z -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
