From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zombie.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id m2VFlCJf017678 for ; Mon, 31 Mar 2008 11:47:12 -0400 Received: from mwmail02la.mail2world.com (jazzdrum.ncsc.mil [144.51.5.7]) by zombie.ncsc.mil (8.12.10/8.12.10) with ESMTP id m2VFkQIb003638 for ; Mon, 31 Mar 2008 15:46:52 GMT From: "Takesi satoh" To: Cc: Subject: Re: RBAC in RHEL5 Date: Mon, 31 Mar 2008 08:45:14 -0700 Message-ID: <109201c89346$35f324a0$046a010a@mail2world.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_1093_01C8930B.89944CA0" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This is a multi-part message in MIME format. ------=_NextPart_000_1093_01C8930B.89944CA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit On Sun, 2008-03-30 at 09:58 -0700, Takesi satoh wrote: >> I wonder that I can use RBAC in RHEL5 or not. >> Here is my problem. >> >> I created new user, and new roles. Let me say john_u: john_r:john_t. >> After I made loadable module, loaded it, and I added some entry to >> default_context and default_type, >> john_u:john_r:john_t was assigned to linux user "john" when john >> logined from GNOME. >> >> Next, since I wanted to try the case of "john logins from console", >> I added new entry "system_r:local_login_t john_r:john_t >> system_r:unconfined_t" to default_context >> and jonh logins from console(tty), then system_r:unconfined_t was >> assigned to john. >> >> I thought the reason why it happened was the below policy >> "type_transition local_login_t shell_exec_t:process transition", >> so I downloaded RHEL's selinux-policy-targeted.src.rpm, replaced from >> above type_transition sentence to "allow local_login_t >> userdomain:process transition;" in local_login.te, and rebuilded rpm. >> >> Then, john logined from console again, and john was assigned to >> "local_login_t" >> Any domain transition did not happen here. >> I wondered " What if I use strict policy? ", so I tried strict policy. >> But the result is same, john was assined to local_login_t. > >How did you create your user role? Did you just declare the types and >roles, or did you use the policy templates? I declared just types, roles, and some attribute such as process_user_target and process_uncond_exempt to follow constraints. Anyway, I updated pam and pam-devel rpms, then I can assign new role to linux user! Thank you for your reply. >-- >Chris PeBenito >Tresys Technology, LLC >(410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. . Save on Cell Phones. Click Now!

_______________________________________________________________
Get the FREE email that has everyone talking at http://www.mail2world.com
Unlimited Email Storage – POP3 – Calendar – SMS – Translator – Much More! ------=_NextPart_000_1093_01C8930B.89944CA0 Content-Type: text/html Content-Transfer-Encoding: 7bit
On Sun, 2008-03-30 at 09:58 -0700, Takesi satoh wrote:
>> I wonder that I can use RBAC in RHEL5 or not.
>> Here is my problem.
>>
>> I created new user, and new roles. Let me say john_u: john_r:john_t.
>> After I made loadable module, loaded it, and I added some entry to
>> default_context and default_type,
>> john_u:john_r:john_t was assigned to linux user "john" when john
>> logined from GNOME.
>>
>> Next, since I wanted to try the case of "john logins from console",
>> I added new entry "system_r:local_login_t john_r:john_t
>> system_r:unconfined_t" to default_context
>> and jonh logins from console(tty), then system_r:unconfined_t was
>> assigned to john.
>>
>> I thought the reason why it happened was the below policy
>> "type_transition local_login_t shell_exec_t:process transition",
>> so I downloaded RHEL's selinux-policy-targeted.src.rpm, replaced from
>> above type_transition sentence to "allow local_login_t
>> userdomain:process transition;" in local_login.te, and rebuilded rpm.
>>
>> Then, john logined from console again, and john was assigned to
>> "local_login_t"
>> Any domain transition did not happen here.
>> I wondered " What if I use strict policy? ", so I tried strict policy.
>> But the result is same, john was assined to local_login_t.
>
>How did you create your user role? Did you just declare the types and
>roles, or did you use the policy templates?

I declared just types, roles, and some attribute such as process_user_target and process_uncond_exempt
to follow constraints.
Anyway, I updated pam and pam-devel rpms, then I can assign new role to linux user!
Thank you for your reply.



>--
>Chris PeBenito
>Tresys Technology, LLC
>(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
.





_______________________________________________________________
Get the FREE email that has everyone talking at http://www.mail2world.com
Unlimited Email Storage – POP3 – Calendar – SMS – Translator – Much More! ------=_NextPart_000_1093_01C8930B.89944CA0-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.