I'm in the process of writing a simple policy from scratch.
Everything works as expected, except for logins.
I have a user named tfm on my system.
/etc/selinux/mypolicy/seusers looks like:
tfm:tfm_u
root:system_u
In my policy I have a user tfm_u with roles tfm_r. tfm_r has
several types, for example xserver_tfm_t. I also have a user
system_u with role unconfined_r and type unconfined_t.
Using runcon I can transition from
system_u:unconfined_r:unconfined_t to tfm_u:tfm_r:xserver_tfm_t.
I figured I have to tell the login programs which context to
choose per default. My login programs run as
system_u:unconfined_r:unconfined_t, so I added to
/etc/selinux/mypolicy/contexts/default_contexts the line
unconfined_r:unconfined_t tfm_r:xserver_tfm_t
I also have in /etc/selinux/mypolicy/contexts/default_type
unconfined_r:unconfined_t
tfm_r:xserver_tfm_t
I can login as root and have context
system_u:unconfined_r:unconfined_t.
I cannot login as tfm, because:
pam_selinux(login:session): Unable to get valid context for tfm
Apparently I am missing something, just can't find what.
In general I find it difficult to find comprehensive
documentation about the userland tools' interaction with the
policy conifguration. On top of that error messages are often
uninformative. (Random example: when the file
/etc/selinux/mypolicy/contexts/files/file_contexts is missing,
useradd without any output exits with return code 12. Which says
'cannot create homedir' but contains no clue about the reason for
the failure.)
So any hint on the above problem or hints on good places I could
read up on the topic would be highly appreciated!
Attachment:
signature.asc
Description: Digital signature
