Re: RBAC in RHEL5

["Christopher J. PeBenito" <cpebenito@tresys.com>]

On Sun, 2008-03-30 at 09:58 -0700, Takesi satoh wrote:
> I wonder that I can use RBAC in RHEL5 or not.
> Here is my problem.
>  
> I created new user, and new roles. Let me say john_u: john_r:john_t.
> After I made loadable module, loaded it, and I added some entry to
> default_context and default_type,
> john_u:john_r:john_t was assigned to linux user "john" when john
> logined from GNOME.
>  
> Next, since I wanted to try the case of "john logins from console", 
> I added new entry "system_r:local_login_t  john_r:john_t
> system_r:unconfined_t" to default_context
> and jonh logins from console(tty), then system_r:unconfined_t was
> assigned to john.
>  
> I thought the reason why it happened was the below policy
> "type_transition local_login_t shell_exec_t:process transition",
> so I downloaded RHEL's selinux-policy-targeted.src.rpm, replaced from
> above type_transition sentence to  "allow local_login_t
> userdomain:process transition;" in local_login.te, and rebuilded rpm.
>  
> Then, john logined from console again, and john was assigned to
> "local_login_t"
> Any domain transition did not happen here.
> I wondered " What if I use strict policy? ", so I tried strict policy.
> But the result is same, john was assined to local_login_t.

How did you create your user role?  Did you just declare the types and
roles, or did you use the policy templates?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.