Hello all
i'm new to SELinux. I'm trying to create per-user domains in a system running Fedora 11 with the targeted policy enabled. The reason for that is that i need to create transitions to different domains when users start the same application. I followed these steps: - written my custom policy module(posted as attachment) in order to create new roles user1_r, user2_r with the default domains user1_t and user2_t; - added to the system new selinux users user1_u and user2_u; - added to the system the new linux users user1 and user2; - associated user1 with user1_u and user2 with user2_u; - labeled home directories respectively with types user1_home_t and user2_home_t - created the two files user1_u and user2_u in /etc/selinux/targeted/contexts/users;
Then i tried to connect in local to the ssh server from root to the user1 but it rejected the connection with this log messages (but no AVC warnings):
Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port 53163 ssh2 Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation failed Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get valid context for user1 Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): Authentication failure Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
If putting the system in permissive mode the connection was successful but the security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023 Any suggestions? Thanks in advance.
On Tue, Sep 15, 2009 at 03:57:45PM +0200, Roberto Sassu wrote:
Hello all
i'm new to SELinux. I'm trying to create per-user domains in a system running Fedora 11 with the targeted policy enabled. The reason for that is that i need to create transitions to different domains when users start the same application. I followed these steps:
- written my custom policy module(posted as attachment) in order to create new
roles user1_r, user2_r with the default domains user1_t and user2_t;
- added to the system new selinux users user1_u and user2_u;
- added to the system the new linux users user1 and user2;
- associated user1 with user1_u and user2 with user2_u;
- labeled home directories respectively with types user1_home_t and
user2_home_t
- created the two files user1_u and user2_u in
/etc/selinux/targeted/contexts/users;
Then i tried to connect in local to the ssh server from root to the user1 but it rejected the connection with this log messages (but no AVC warnings):
Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port 53163 ssh2 Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation failed Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get valid context for user1 Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): Authentication failure Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
If putting the system in permissive mode the connection was successful but the security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023 Any suggestions? Thanks in advance.
policy_module(usermod,1.0.0)
userdom_base_user_template(user1) userdom_base_user_template(user2)
access_to_home(user1) access_to_home(user2)
## <summary></summary>
interface(`access_to_home',` require { type home_root_t; type local_login_t, fs_t, proc_t, sshd_t; }
type $1_home_t;
type_transition $1_t $1_home_t:{file dir} $1_home_t;
allow local_login_t $1_home_t:dir search; allow $1_t $1_home_t:dir { write search read create open getattr add_name }; allow $1_t $1_home_t:file { read write create open getattr append }; allow $1_t home_root_t:dir { search read open getattr }; allow $1_home_t fs_t:filesystem associate; allow $1_t proc_t:file { read open }; allow sshd_t $1_home_t:dir search; ')
/home/user1(/.*)? gen_context(user1_u:object_r:user1_home_t,s0) /home/user2(/.*)? gen_context(user2_u:object_r:user2_home_t,s0)
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user1_u user1 s0 s0 user1_r user2_u user2 s0 s0 user2_r user4 user s0 s0 user_r user_u user s0 s0-s0:c0.c1023 user_r xguest_u user s0 s0 xguest_r
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 test1 user_u s0 user1 user1_u s0 user2 user2_u s0 user4 user_u s0
My first thought is that there may be errors in the /etc/selinux/targeted/contexts/users/user{1_u,2_u} files. My second thought is that it may have to do with your exotic home dir solution. I would not do that because it may require lots of policy and the results may not be so beneficial.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Tue, Sep 15, 2009 at 03:57:45PM +0200, Roberto Sassu wrote:
Hello all
i'm new to SELinux. I'm trying to create per-user domains in a system running Fedora 11 with the targeted policy enabled. The reason for that is that i need to create transitions to different domains when users start the same application. I followed these steps:
- written my custom policy module(posted as attachment) in order to create new
roles user1_r, user2_r with the default domains user1_t and user2_t;
- added to the system new selinux users user1_u and user2_u;
- added to the system the new linux users user1 and user2;
- associated user1 with user1_u and user2 with user2_u;
- labeled home directories respectively with types user1_home_t and
user2_home_t
- created the two files user1_u and user2_u in
/etc/selinux/targeted/contexts/users;
Then i tried to connect in local to the ssh server from root to the user1 but it rejected the connection with this log messages (but no AVC warnings):
Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port 53163 ssh2 Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation failed Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get valid context for user1 Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): Authentication failure Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
If putting the system in permissive mode the connection was successful but the security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023 Any suggestions? Thanks in advance.
policy_module(usermod,1.0.0)
userdom_base_user_template(user1) userdom_base_user_template(user2)
access_to_home(user1) access_to_home(user2)
## <summary></summary>
interface(`access_to_home',` require { type home_root_t; type local_login_t, fs_t, proc_t, sshd_t; }
type $1_home_t;
type_transition $1_t $1_home_t:{file dir} $1_home_t;
allow local_login_t $1_home_t:dir search; allow $1_t $1_home_t:dir { write search read create open getattr add_name }; allow $1_t $1_home_t:file { read write create open getattr append }; allow $1_t home_root_t:dir { search read open getattr }; allow $1_home_t fs_t:filesystem associate; allow $1_t proc_t:file { read open }; allow sshd_t $1_home_t:dir search; ')
/home/user1(/.*)? gen_context(user1_u:object_r:user1_home_t,s0) /home/user2(/.*)? gen_context(user2_u:object_r:user2_home_t,s0)
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user1_u user1 s0 s0 user1_r user2_u user2 s0 s0 user2_r user4 user s0 s0 user_r user_u user s0 s0-s0:c0.c1023 user_r xguest_u user s0 s0 xguest_r
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 test1 user_u s0 user1 user1_u s0 user2 user2_u s0 user4 user_u s0
oh, and the userdom template you are using does not have all the permissions for a login user i believe. i would just base if it on the current user_u policy so probably: userdom_unpriv_user_template()
Also if you doo not see avc denials try: semodule -DB / -B to show/hide silenced denials Also keep an eye on messages for DBUS denials.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On 09/15/2009 09:57 AM, Roberto Sassu wrote:
Hello all
i'm new to SELinux. I'm trying to create per-user domains in a system running Fedora 11 with the targeted policy enabled. The reason for that is that i need to create transitions to different domains when users start the same application. I followed these steps:
- written my custom policy module(posted as attachment) in order to create new
roles user1_r, user2_r with the default domains user1_t and user2_t;
- added to the system new selinux users user1_u and user2_u;
- added to the system the new linux users user1 and user2;
- associated user1 with user1_u and user2 with user2_u;
- labeled home directories respectively with types user1_home_t and
user2_home_t
- created the two files user1_u and user2_u in
/etc/selinux/targeted/contexts/users;
Then i tried to connect in local to the ssh server from root to the user1 but it rejected the connection with this log messages (but no AVC warnings):
Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port 53163 ssh2 Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation failed Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get valid context for user1 Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): Authentication failure Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
If putting the system in permissive mode the connection was successful but the security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023 Any suggestions? Thanks in advance.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You probably need to create /etc/selinux/targeted/context/user1 and user2
Base these off of xguest
I am not crazy about having home content variable between users, I think this is a waste of time. Others disagree.
Thanks all for replies. I have modified the policy by using the template userdom_unpriv_user_template() and everything is ok. Talking about different labels for each home directory i'm not sure but if all users domains have access to the default type user_home_dir_t access control on files under /home will be based on DAC mechanism. My effort is focused on trying to evaluate if it is possible with SELinux to protect files using as criteria for access decision the combination user identity-application-identity. For example i want to protect the user's private key allowing the access only to the program "ssh" ran by the user "user1". In my policy i created the domain "user1_t" which is set by the login program when "user1" logs in the system. Then i called the interface ssh_basic_client_template(user1, user1_t, user1_r) which creates the derived domain user1_ssh_t at the time user1 executes the "ssh" command. The file $home/.ssh/id_rsa could be labeled with a unique label and a specific rule can be added to allow only the user1_ssh_t domain to read the key. Denying to users the ability to set security contexts, does this policy create a separation between the ssh application and the others ran by the same user?
On Tue, Sep 15, 2009 at 5:40 PM, Daniel J Walsh dwalsh@redhat.com wrote:
On 09/15/2009 09:57 AM, Roberto Sassu wrote:
Hello all
i'm new to SELinux. I'm trying to create per-user domains in a system
running
Fedora 11 with the targeted policy enabled. The reason for that is that i
need
to create transitions to different domains when users start the same application. I followed these steps:
- written my custom policy module(posted as attachment) in order to
create new
roles user1_r, user2_r with the default domains user1_t and user2_t;
- added to the system new selinux users user1_u and user2_u;
- added to the system the new linux users user1 and user2;
- associated user1 with user1_u and user2 with user2_u;
- labeled home directories respectively with types user1_home_t and
user2_home_t
- created the two files user1_u and user2_u in
/etc/selinux/targeted/contexts/users;
Then i tried to connect in local to the ssh server from root to the user1
but
it rejected the connection with this log messages (but no AVC warnings):
Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1
port
53163 ssh2 Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session):
conversation
failed Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No
response to
query: Would you like to enter a security context? [N] Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to
get
valid context for user1 Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session
opened
for user user1 by (uid=0) Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): Authentication failure Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
If putting the system in permissive mode the connection was successful
but the
security context after login was:
system_u:system_r:unconfined_t:s0-s0:c0.c1023
Any suggestions? Thanks in advance.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You probably need to create /etc/selinux/targeted/context/user1 and user2
Base these off of xguest
I am not crazy about having home content variable between users, I think this is a waste of time. Others disagree.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Tue, Sep 15, 2009 at 08:30:43PM +0200, Roberto Sassu wrote:
Thanks all for replies. I have modified the policy by using the template userdom_unpriv_user_template() and everything is ok. Talking about different labels for each home directory i'm not sure but if all users domains have access to the default type user_home_dir_t access control on files under /home will be based on DAC mechanism. My effort is focused on trying to evaluate if it is possible with SELinux to protect files using as criteria for access decision the combination user identity-application-identity. For example i want to protect the user's private key allowing the access only to the program "ssh" ran by the user "user1". In my policy i created the domain "user1_t" which is set by the login program when "user1" logs in the system. Then i called the interface ssh_basic_client_template(user1, user1_t, user1_r) which creates the derived domain user1_ssh_t at the time user1 executes the "ssh" command. The file $home/.ssh/id_rsa could be labeled with a unique label and a specific rule can be added to allow only the user1_ssh_t domain to read the key. Denying to users the ability to set security contexts, does this policy create a separation between the ssh application and the others ran by the same user?
Well the ubac model/concept keeps selinux users processes/objects separated but it is not implemented in fedora. You could however implement similar functionality by using per role template but existing domains would have to be modified
what a per role template does is create types derrived from the user domain prefix so $1_ssh_t, $1_ssh_home_t and thenlets you define rules like: allow $1_ssh_t $1_ssh_home_t:file read
On Tue, Sep 15, 2009 at 5:40 PM, Daniel J Walsh dwalsh@redhat.com wrote:
On 09/15/2009 09:57 AM, Roberto Sassu wrote:
Hello all
i'm new to SELinux. I'm trying to create per-user domains in a system
running
Fedora 11 with the targeted policy enabled. The reason for that is that i
need
to create transitions to different domains when users start the same application. I followed these steps:
- written my custom policy module(posted as attachment) in order to
create new
roles user1_r, user2_r with the default domains user1_t and user2_t;
- added to the system new selinux users user1_u and user2_u;
- added to the system the new linux users user1 and user2;
- associated user1 with user1_u and user2 with user2_u;
- labeled home directories respectively with types user1_home_t and
user2_home_t
- created the two files user1_u and user2_u in
/etc/selinux/targeted/contexts/users;
Then i tried to connect in local to the ssh server from root to the user1
but
it rejected the connection with this log messages (but no AVC warnings):
Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1
port
53163 ssh2 Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session):
conversation
failed Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No
response to
query: Would you like to enter a security context? [N] Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to
get
valid context for user1 Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session
opened
for user user1 by (uid=0) Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): Authentication failure Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
If putting the system in permissive mode the connection was successful
but the
security context after login was:
system_u:system_r:unconfined_t:s0-s0:c0.c1023
Any suggestions? Thanks in advance.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You probably need to create /etc/selinux/targeted/context/user1 and user2
Base these off of xguest
I am not crazy about having home content variable between users, I think this is a waste of time. Others disagree.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org