On Tue, Sep 15, 2009 at 03:57:45PM +0200, Roberto Sassu wrote:
Hello all
i'm new to SELinux. I'm trying to create per-user domains in a system running Fedora 11 with the targeted policy enabled. The reason for that is that i need to create transitions to different domains when users start the same application. I followed these steps:
- written my custom policy module(posted as attachment) in order to create new
roles user1_r, user2_r with the default domains user1_t and user2_t;
- added to the system new selinux users user1_u and user2_u;
- added to the system the new linux users user1 and user2;
- associated user1 with user1_u and user2 with user2_u;
- labeled home directories respectively with types user1_home_t and
user2_home_t
- created the two files user1_u and user2_u in
/etc/selinux/targeted/contexts/users;
Then i tried to connect in local to the ssh server from root to the user1 but it rejected the connection with this log messages (but no AVC warnings):
Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port 53163 ssh2 Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation failed Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get valid context for user1 Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): Authentication failure Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
If putting the system in permissive mode the connection was successful but the security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023 Any suggestions? Thanks in advance.
policy_module(usermod,1.0.0)
userdom_base_user_template(user1) userdom_base_user_template(user2)
access_to_home(user1) access_to_home(user2)
## <summary></summary>
interface(`access_to_home',` require { type home_root_t; type local_login_t, fs_t, proc_t, sshd_t; }
type $1_home_t;
type_transition $1_t $1_home_t:{file dir} $1_home_t;
allow local_login_t $1_home_t:dir search; allow $1_t $1_home_t:dir { write search read create open getattr add_name }; allow $1_t $1_home_t:file { read write create open getattr append }; allow $1_t home_root_t:dir { search read open getattr }; allow $1_home_t fs_t:filesystem associate; allow $1_t proc_t:file { read open }; allow sshd_t $1_home_t:dir search; ')
/home/user1(/.*)? gen_context(user1_u:object_r:user1_home_t,s0) /home/user2(/.*)? gen_context(user2_u:object_r:user2_home_t,s0)
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user1_u user1 s0 s0 user1_r user2_u user2 s0 s0 user2_r user4 user s0 s0 user_r user_u user s0 s0-s0:c0.c1023 user_r xguest_u user s0 s0 xguest_r
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 test1 user_u s0 user1 user1_u s0 user2 user2_u s0 user4 user_u s0
My first thought is that there may be errors in the /etc/selinux/targeted/contexts/users/user{1_u,2_u} files. My second thought is that it may have to do with your exotic home dir solution. I would not do that because it may require lots of policy and the results may not be so beneficial.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list