On Sat, 2009-07-25 at 13:59 -0700, Larry Ross wrote: > On Sat, Jul 25, 2009 at 1:16 PM, Dominick Grift <domg472@xxxxxxxxx> > wrote: > On Sat, 2009-07-25 at 12:41 -0700, Larry Ross wrote: > > I am trying to create a custom selinux user for the strict policy on > > RHEL5.3 > > I want logins that are mapped to this user to be able to login via > > gdm, but when they do I get an error "Error! Unable to set > executable > > context." > > > > What does this error message mean? > > > > I am able to login via gdm with logins that are mapped to user_u. I > > have run the AVCs generated when I login in permissive mode (which > > succeeds) through audit2allow and gotten to the point where it > doesn't > > seem that I am getting any killer AVCs. What am I missing that is > > needed for a custom user to use X-Windows? Is there some place I > can > > look to determine what is causing the error? > > > > Thank you, > > Larry > > > > /var/log/messages: > > Jul 25 11:51:21 newhost gdm[4673]: SELinux gdm login: unable to > > obtain default security context for appuser. > > > > > > /var/log/audit/audit.log: > > type=USER_AUTH msg=audit(1248550033.507:1432): user pid=3003 uid=0 > > auid=14022 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > > authentication acct="?" : exe="/usr/sbin/gdm-binary" (hostname=?, > > addr=?, terminal=:0 res=failed)' > > type=USER_LOGIN msg=audit(1248550033.507:1433): user pid=3003 uid=0 > > auid=14022 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > msg='acct=dbapp: exe="/usr/sbin/gdm-binary" (hostname=newhost, > > addr=127.0.0.1, terminal=:0 res=failed)' > > type=USER_AUTH msg=audit(1248550043.787:1434): user pid=3003 uid=0 > > auid=14022 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > > authentication acct="appuser" : > > exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 > > res=success)' > > type=USER_ACCT msg=audit(1248550043.789:1435): user pid=3003 uid=0 > > auid=14022 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > > accounting acct="appuser" : exe="/usr/sbin/gdm-binary" (hostname=?, > > addr=?, terminal=:0 res=success)' > > type=CRED_ACQ msg=audit(1248550043.790:1436): user pid=3003 uid=0 > > auid=14022 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > > setcred acct="appuser" : exe="/usr/sbin/gdm-binary" (hostname=?, > > addr=?, terminal=:0 res=success)' > > type=LOGIN msg=audit(1248550043.796:1437): login pid=3003 uid=0 old > > auid=14022 new auid=14020 old ses=35 new ses=36 > > type=USER_START msg=audit(1248550043.804:1438): user pid=3003 uid=0 > > auid=14020 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > > session open acct="appuser" : > exe="/usr/sbin/gdm-binary" (hostname=?, > > addr=?, terminal=:0 res=success)' > > type=USER_LOGIN msg=audit(1248550043.804:1439): user pid=3003 uid=0 > > auid=14020 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 > msg='uid=14020: > > exe="/usr/sbin/gdm-binary" (hostname=newhost, addr=127.0.0.1, > > terminal=:0 res=success)' > > type=USER_END msg=audit(1248550092.461:1440): user pid=3003 uid=0 > > auid=14020 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > > session close acct="appuser" : > exe="/usr/sbin/gdm-binary" (hostname=?, > > addr=?, terminal=:0 res=success)' > > type=CRED_DISP msg=audit(1248550092.461:1441): user pid=3003 uid=0 > > auid=14020 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > > setcred acct="appuser" : exe="/usr/sbin/gdm-binary" (hostname=?, > > addr=?, terminal=:0 res=success)' > > > > Dominick, > Thank you for your reply. > > probably means you have no default contexts defined for > "appuser" > > How do I define a default context for an selinux user? Well this is how a default contexts file looks for the user_u selinux user in fedora (targeted policy): [root@notebook2 ~]# cat /etc/selinux/targeted/contexts/users/user_u system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 system_r:crond_t:s0 user_r:user_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 system_r:initrc_su_t:s0 user_r:user_t:s0 user_r:user_t:s0 user_r:user_t:s0 > can you show us the output of 'semanage user -l | grep > appuser'? > > [root@newhost ~]# semanage user -l | grep appuser > > returns no results, as I would expect, appuser is a linux login id, > not an selinux user. > > [root@newhost ~]# semanage login -l | grep appuser > appuser app_user_u s0 semanage user -l | grep app_user_u > > > If this user is based of off user_u you could simply: > > cp /etc/selinux/contexts/users/user_u /etc/selinux/contexts/users/appuser > > but it depends on how your appuser selinux-user is configured > ( whats > his default domain ) > > The only thing in /etc/selinux/strict/contexts/users/ > is "root", there is no file there for user_u. That's weird, i would expect default contexts be defined since you stated that your user_u login works. Maybe it is stored in a different location in el5. See if you can locate a file called user_u or any other file that may have similar entries as i pasted above in you /etc/selinux/strict/contexts (and /users). > > -- Larry >
Attachment:
signature.asc
Description: This is a digitally signed message part
