On Fri, Jan 16, 2009 at 2:03 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
You're quite right; after more fiddling and thinking I've found I can do what I want (and it's better to do so anyway) with the base policy intact. I've started using Fedora 7 so I can use the strict policy and its user mapping capabilities for my (A)RBAC experimentation. While I would still like to be able to modify the base policy, I can do without.
I have hit a different roadblock, however, dealing with custom user mappings: I cannot get users I've created to map to SELinux users I've defined. I've declared the users and their roles and types in a module that I have installed into the policy. When I added mappings to /etc/selinux/strict/seusers , either by hand or with semanage, the user ends up with the context system_u:system_r:xdm_t:SystemHigh-SystemLow. I have files in the /etc/selinux/strict/contexts/users/ directory for each user and have put the types and roles appropriately in the default_type file.
How does the login process really determine these mappings, and why would all of my custom mappings be redirected to system_u:system_r:xdm_t? I am quite puzzled.
On Fri, 2009-01-16 at 12:43 -0500, Cheyenne Solo wrote:Can you explain why? Often it turns out that people can in fact do what
> Hello list,
>
> This is my first time writing to the list, and I'm an SELinux newbie.
>
> I'm trying to do some experiments on SELinux that require me to
> replace the base module.
they want without replacing the base module these days (particularly
given the merge of strict and targeted policies), so it would be good to
first double check that you truly need to do this.
You're quite right; after more fiddling and thinking I've found I can do what I want (and it's better to do so anyway) with the base policy intact. I've started using Fedora 7 so I can use the strict policy and its user mapping capabilities for my (A)RBAC experimentation. While I would still like to be able to modify the base policy, I can do without.
I have hit a different roadblock, however, dealing with custom user mappings: I cannot get users I've created to map to SELinux users I've defined. I've declared the users and their roles and types in a module that I have installed into the policy. When I added mappings to /etc/selinux/strict/seusers , either by hand or with semanage, the user ends up with the context system_u:system_r:xdm_t:SystemHigh-SystemLow. I have files in the /etc/selinux/strict/contexts/users/ directory for each user and have put the types and roles appropriately in the default_type file.
How does the login process really determine these mappings, and why would all of my custom mappings be redirected to system_u:system_r:xdm_t? I am quite puzzled.
Thanks,
Ayla
