Re: RBAC in RHEL5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Sun, 2008-03-30 at 09:58 -0700, Takesi satoh wrote:
>> I wonder that I can use RBAC in RHEL5 or not.
>> Here is my problem.
>>
>> I created new user, and new roles. Let me say john_u: john_r:john_t.
>> After I made loadable module, loaded it, and I added some entry to
>> default_context and default_type,
>> john_u:john_r:john_t was assigned to linux user "john" when john
>> logined from GNOME.
>>
>> Next, since I wanted to try the case of "john logins from console",
>> I added new entry "system_r:local_login_t john_r:john_t
>> system_r:unconfined_t" to default_context
>> and jonh logins from console(tty), then system_r:unconfined_t was
>> assigned to john.
>>
>> I thought the reason why it happened was the below policy
>> "type_transition local_login_t shell_exec_t:process transition",
>> so I downloaded RHEL's selinux-policy-targeted.src.rpm, replaced from
>> above type_transition sentence to "allow local_login_t
>> userdomain:process transition;" in local_login.te, and rebuilded rpm.
>>
>> Then, john logined from console again, and john was assigned to
>> "local_login_t"
>> Any domain transition did not happen here.
>> I wondered " What if I use strict policy? ", so I tried strict policy.
>> But the result is same, john was assined to local_login_t.
>
>How did you create your user role? Did you just declare the types and
>roles, or did you use the policy templates?

I declared just types, roles, and some attribute such as process_user_target and process_uncond_exempt
to follow constraints.
Anyway, I updated pam and pam-devel rpms, then I can assign new role to linux user!
Thank you for your reply.



>--
>Chris PeBenito
>Tresys Technology, LLC
>(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
.




Save on Cell Phones. Click Now!

_______________________________________________________________
Get the FREE email that has everyone talking at http://www.mail2world.com
Unlimited Email Storage – POP3 – Calendar – SMS – Translator – Much More!

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux