On Sat, 2009-07-25 at 12:41 -0700, Larry Ross wrote: > I am trying to create a custom selinux user for the strict policy on > RHEL5.3 > I want logins that are mapped to this user to be able to login via > gdm, but when they do I get an error "Error! Unable to set executable > context." > > What does this error message mean? > > I am able to login via gdm with logins that are mapped to user_u. I > have run the AVCs generated when I login in permissive mode (which > succeeds) through audit2allow and gotten to the point where it doesn't > seem that I am getting any killer AVCs. What am I missing that is > needed for a custom user to use X-Windows? Is there some place I can > look to determine what is causing the error? > > Thank you, > Larry > > /var/log/messages: > Jul 25 11:51:21 newhost gdm[4673]: SELinux gdm login: unable to > obtain default security context for appuser. > > > /var/log/audit/audit.log: > type=USER_AUTH msg=audit(1248550033.507:1432): user pid=3003 uid=0 > auid=14022 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > authentication acct="?" : exe="/usr/sbin/gdm-binary" (hostname=?, > addr=?, terminal=:0 res=failed)' > type=USER_LOGIN msg=audit(1248550033.507:1433): user pid=3003 uid=0 > auid=14022 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 > msg='acct=dbapp: exe="/usr/sbin/gdm-binary" (hostname=newhost, > addr=127.0.0.1, terminal=:0 res=failed)' > type=USER_AUTH msg=audit(1248550043.787:1434): user pid=3003 uid=0 > auid=14022 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > authentication acct="appuser" : > exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 > res=success)' > type=USER_ACCT msg=audit(1248550043.789:1435): user pid=3003 uid=0 > auid=14022 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > accounting acct="appuser" : exe="/usr/sbin/gdm-binary" (hostname=?, > addr=?, terminal=:0 res=success)' > type=CRED_ACQ msg=audit(1248550043.790:1436): user pid=3003 uid=0 > auid=14022 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > setcred acct="appuser" : exe="/usr/sbin/gdm-binary" (hostname=?, > addr=?, terminal=:0 res=success)' > type=LOGIN msg=audit(1248550043.796:1437): login pid=3003 uid=0 old > auid=14022 new auid=14020 old ses=35 new ses=36 > type=USER_START msg=audit(1248550043.804:1438): user pid=3003 uid=0 > auid=14020 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > session open acct="appuser" : exe="/usr/sbin/gdm-binary" (hostname=?, > addr=?, terminal=:0 res=success)' > type=USER_LOGIN msg=audit(1248550043.804:1439): user pid=3003 uid=0 > auid=14020 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=14020: > exe="/usr/sbin/gdm-binary" (hostname=newhost, addr=127.0.0.1, > terminal=:0 res=success)' > type=USER_END msg=audit(1248550092.461:1440): user pid=3003 uid=0 > auid=14020 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > session close acct="appuser" : exe="/usr/sbin/gdm-binary" (hostname=?, > addr=?, terminal=:0 res=success)' > type=CRED_DISP msg=audit(1248550092.461:1441): user pid=3003 uid=0 > auid=14020 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > setcred acct="appuser" : exe="/usr/sbin/gdm-binary" (hostname=?, > addr=?, terminal=:0 res=success)' > probably means you have no default contexts defined for "appuser" can you show us the output of 'semanage user -l | grep appuser'? If this user is based of off user_u you could simply: cp /etc/selinux/contexts/users/user_u /etc/selinux/contexts/users/appuser but it depends on how your appuser selinux-user is configured ( whats his default domain )
Attachment:
signature.asc
Description: This is a digitally signed message part
