On Wed, 2009-02-04 at 15:52 -0500, Cheyenne Solo wrote: > > > On Fri, Jan 16, 2009 at 2:03 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> > wrote: > > On Fri, 2009-01-16 at 12:43 -0500, Cheyenne Solo wrote: > > Hello list, > > > > This is my first time writing to the list, and I'm an > SELinux newbie. > > > > I'm trying to do some experiments on SELinux that require me > to > > replace the base module. > > > Can you explain why? Often it turns out that people can in > fact do what > they want without replacing the base module these days > (particularly > given the merge of strict and targeted policies), so it would > be good to > first double check that you truly need to do this. > > You're quite right; after more fiddling and thinking I've found I can > do what I want (and it's better to do so anyway) with the base policy > intact. I've started using Fedora 7 so I can use the strict policy and > its user mapping capabilities for my (A)RBAC experimentation. While I > would still like to be able to modify the base policy, I can do > without. No need to regress to Fedora 7; as I said, the strict and targeted policies have been merged into a single policy in Fedora 8 and later such that you can map users to confined roles and even remove unconfined altogether if you wish (although that requires care and likely isn't required for your purposes). You really should be using a Fedora release that is still supported, like Fedora 10. > I have hit a different roadblock, however, dealing with custom user > mappings: I cannot get users I've created to map to SELinux users I've > defined. I've declared the users and their roles and types in a module > that I have installed into the policy. When I added mappings > to /etc/selinux/strict/seusers , either by hand or with semanage, the > user ends up with the context > system_u:system_r:xdm_t:SystemHigh-SystemLow. I have files in > the /etc/selinux/strict/contexts/users/ directory for each user and > have put the types and roles appropriately in the default_type file. > > How does the login process really determine these mappings, and why > would all of my custom mappings be redirected to > system_u:system_r:xdm_t? I am quite puzzled. system_u:system_r:xdm_t is the context of the graphical display manager, so if you are ending up in that context upon a graphical login, that means that your graphical display manager did not successfully set the context to anything for the user session. It may have logged some errors to /var/log/messages or /var/log/secure. It shouldn't have let you login at all in enforcing mode. Did you follow the instructions in: http://oss.tresys.com/projects/refpolicy/wiki/RoleCreation The general sequence is: 1) Look up the Linux user in the seusers file, thereby obtaining a SELinux user and a level. This is handled by the getseuserbyname() function in libselinux. 2) Get the list of security contexts for that (SELinux user, level) pair reachable from the caller's context. This is handled by the get_ordered_context_list_with_level() function in libselinux. Internally, this asks the kernel for a list of such contexts based on policy and then orders and prunes the list based on the default_contexts file. There are some sample utilities (getseuser, getdefaultcon) in the libselinux source tree that can be used to directly exercise those functions for debugging purposes. It would help for you to post your actual module and config files. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
