On Mon, Jul 27, 2009 at 11:06 AM, Stephen Smalley<sds@xxxxxxxxxxxxx> wrote: > On Mon, 2009-07-27 at 07:49 -0700, Larry Ross wrote: >> On Mon, Jul 27, 2009 at 6:45 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> >> wrote: >> On Sat, 2009-07-25 at 12:41 -0700, Larry Ross wrote: >> >> > I am trying to create a custom selinux user for the strict >> policy on >> > RHEL5.3 >> > I want logins that are mapped to this user to be able to >> login via >> > gdm, but when they do I get an error "Error! Unable to set >> executable >> > context." >> > >> > What does this error message mean? >> > >> > I am able to login via gdm with logins that are mapped to >> user_u. I >> > have run the AVCs generated when I login in permissive mode >> (which >> > succeeds) through audit2allow and gotten to the point where >> it doesn't >> > seem that I am getting any killer AVCs. What am I missing >> that is >> > needed for a custom user to use X-Windows? Is there some >> place I can >> > look to determine what is causing the error? >> >> >> I see that you've resolved the problem now, but could you >> describe what >> you had to do to get it to work for future reference? That >> way the next >> time someone comes along with the same issue, they can find >> the answer >> in the mailing list archives. >> >> I think (and that is why I didn't say specifically) that it was >> calling: >> userdom_unpriv_user_template(app_user) >> >> I know I needed to add a default context to: >> /etc/selinux/strict/contexts/default_contexts >> >> but although I added more per Dominicks suggestion, I think I already >> had the ones that were needed. >> >> >> >> BTW, "executable context" in the error message means that the >> attempts >> by gdm to invoke setexeccon(3) failed. setexecon(3) is the >> libselinux >> interface to set the security context to which the process >> will >> transition upon the next execve(2) call. Usually a >> setexeccon(3) error >> means that the security context was invalid under the current >> policy. >> >> This didn't seem to be well documented anywhere as to what the above >> actually means. >> My take is that there has to be an executable context (which is what I >> think the userdom_unpriv_user_template gave me) which is listed in the >> default contexts in the same row as the "current" context. But I >> could be wrong. > > Usually what happens is that it is unable to find any valid context for > the user and thus falls back to trying a failsafe context defined for > emergency logins, but that wasn't valid for that particular SELinux > user. Where is that behavior implemented? I didn't see it. Where are the "failsafe" contexts defined, are they in the code somewhere? When you say "wasn't valid for that particular SELinux user" I assume you mean that the permissions required were not given to that selinux user (which is what I think I fixed with the userdom_unpriv_user_template). Which would imply that there would be no "failsafe context" for my custom selinux user. -- Larry > > -- > Stephen Smalley > National Security Agency > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
