Hello all
i'm new to SELinux. I'm trying to create per-user domains in a system running Fedora 11 with the targeted policy enabled. The reason for that is that i need to create transitions to different domains when users start the same application. I followed these steps: - written my custom policy module(posted as attachment) in order to create new roles user1_r, user2_r with the default domains user1_t and user2_t; - added to the system new selinux users user1_u and user2_u; - added to the system the new linux users user1 and user2; - associated user1 with user1_u and user2 with user2_u; - labeled home directories respectively with types user1_home_t and user2_home_t - created the two files user1_u and user2_u in /etc/selinux/targeted/contexts/users;
Then i tried to connect in local to the ssh server from root to the user1 but it rejected the connection with this log messages (but no AVC warnings):
Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port 53163 ssh2 Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation failed Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get valid context for user1 Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): Authentication failure Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
If putting the system in permissive mode the connection was successful but the security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023 Any suggestions? Thanks in advance.