On 09/15/2009 09:57 AM, Roberto Sassu wrote:
Hello all
i'm new to SELinux. I'm trying to create per-user domains in a system running Fedora 11 with the targeted policy enabled. The reason for that is that i need to create transitions to different domains when users start the same application. I followed these steps:
- written my custom policy module(posted as attachment) in order to create new
roles user1_r, user2_r with the default domains user1_t and user2_t;
- added to the system new selinux users user1_u and user2_u;
- added to the system the new linux users user1 and user2;
- associated user1 with user1_u and user2 with user2_u;
- labeled home directories respectively with types user1_home_t and
user2_home_t
- created the two files user1_u and user2_u in
/etc/selinux/targeted/contexts/users;
Then i tried to connect in local to the ssh server from root to the user1 but it rejected the connection with this log messages (but no AVC warnings):
Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port 53163 ssh2 Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation failed Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get valid context for user1 Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): Authentication failure Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
If putting the system in permissive mode the connection was successful but the security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023 Any suggestions? Thanks in advance.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You probably need to create /etc/selinux/targeted/context/user1 and user2
Base these off of xguest
I am not crazy about having home content variable between users, I think this is a waste of time. Others disagree.