* RBAC in RHEL5
@ 2008-03-30 16:58 Takesi satoh
2008-03-31 12:56 ` Christopher J. PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Takesi satoh @ 2008-03-30 16:58 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 2025 bytes --]
Hello,
I wonder that I can use RBAC in RHEL5 or not.
Here is my problem.
I created new user, and new roles. Let me say john_u: john_r:john_t.
After I made loadable module, loaded it, and I added some entry to
default_context and default_type,
john_u:john_r:john_t was assigned to linux user "john" when john logined
from GNOME.
Next, since I wanted to try the case of "john logins from console",
I added new entry "system_r:local_login_t john_r:john_t
system_r:unconfined_t" to default_context
and jonh logins from console(tty), then system_r:unconfined_t was
assigned to john.
I thought the reason why it happened was the below policy
"type_transition local_login_t shell_exec_t:process transition",
so I downloaded RHEL's selinux-policy-targeted.src.rpm, replaced from
above type_transition sentence to "allow local_login_t
userdomain:process transition;" in local_login.te, and rebuilded rpm.
Then, john logined from console again, and john was assigned to
"local_login_t"
Any domain transition did not happen here.
I wondered " What if I use strict policy? ", so I tried strict policy.
But the result is same, john was assined to local_login_t.
So current my assumption is, in RHEL5, I can use RBAC only when user
logins from GNOME.
And my question is,
1) My assumption is correct or did I make any mistake?
2) Is there any way to use RBAC in RHEL5? ( should we try to import
fedora rpm for /bin/login?)
Regards,
K
Click here to find all of your computer accessories for less!
<http://www.relevantads.biz/fc/Ioyw36XImF3EaZY2PYQLisysvFVzIskVW3cTSYqRG
RR3hTWfTvi2Yz/>
<span id=m2wTl><p><font face="Arial, Helvetica, sans-serif" size="2" style="font-size:13.5px">_______________________________________________________________<BR>Get the FREE email that has everyone talking at <a href=http://www.mail2world.com target=new>http://www.mail2world.com</a><br> <font color=#999999>Unlimited Email Storage – POP3 – Calendar – SMS – Translator – Much More!</font></font></span>
[-- Attachment #2: Type: text/html, Size: 2671 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: RBAC in RHEL5
2008-03-30 16:58 RBAC in RHEL5 Takesi satoh
@ 2008-03-31 12:56 ` Christopher J. PeBenito
0 siblings, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2008-03-31 12:56 UTC (permalink / raw)
To: Takesi satoh; +Cc: selinux
On Sun, 2008-03-30 at 09:58 -0700, Takesi satoh wrote:
> I wonder that I can use RBAC in RHEL5 or not.
> Here is my problem.
>
> I created new user, and new roles. Let me say john_u: john_r:john_t.
> After I made loadable module, loaded it, and I added some entry to
> default_context and default_type,
> john_u:john_r:john_t was assigned to linux user "john" when john
> logined from GNOME.
>
> Next, since I wanted to try the case of "john logins from console",
> I added new entry "system_r:local_login_t john_r:john_t
> system_r:unconfined_t" to default_context
> and jonh logins from console(tty), then system_r:unconfined_t was
> assigned to john.
>
> I thought the reason why it happened was the below policy
> "type_transition local_login_t shell_exec_t:process transition",
> so I downloaded RHEL's selinux-policy-targeted.src.rpm, replaced from
> above type_transition sentence to "allow local_login_t
> userdomain:process transition;" in local_login.te, and rebuilded rpm.
>
> Then, john logined from console again, and john was assigned to
> "local_login_t"
> Any domain transition did not happen here.
> I wondered " What if I use strict policy? ", so I tried strict policy.
> But the result is same, john was assined to local_login_t.
How did you create your user role? Did you just declare the types and
roles, or did you use the policy templates?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: RBAC in RHEL5
@ 2008-03-31 15:45 Takesi satoh
0 siblings, 0 replies; 3+ messages in thread
From: Takesi satoh @ 2008-03-31 15:45 UTC (permalink / raw)
To: cpebenito; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 2488 bytes --]
On Sun, 2008-03-30 at 09:58 -0700, Takesi satoh wrote:
>> I wonder that I can use RBAC in RHEL5 or not.
>> Here is my problem.
>>
>> I created new user, and new roles. Let me say john_u: john_r:john_t.
>> After I made loadable module, loaded it, and I added some entry to
>> default_context and default_type,
>> john_u:john_r:john_t was assigned to linux user "john" when john
>> logined from GNOME.
>>
>> Next, since I wanted to try the case of "john logins from console",
>> I added new entry "system_r:local_login_t john_r:john_t
>> system_r:unconfined_t" to default_context
>> and jonh logins from console(tty), then system_r:unconfined_t was
>> assigned to john.
>>
>> I thought the reason why it happened was the below policy
>> "type_transition local_login_t shell_exec_t:process transition",
>> so I downloaded RHEL's selinux-policy-targeted.src.rpm, replaced from
>> above type_transition sentence to "allow local_login_t
>> userdomain:process transition;" in local_login.te, and rebuilded rpm.
>>
>> Then, john logined from console again, and john was assigned to
>> "local_login_t"
>> Any domain transition did not happen here.
>> I wondered " What if I use strict policy? ", so I tried strict
policy.
>> But the result is same, john was assined to local_login_t.
>
>How did you create your user role? Did you just declare the types and
>roles, or did you use the policy templates?
I declared just types, roles, and some attribute such as
process_user_target and process_uncond_exempt
to follow constraints.
Anyway, I updated pam and pam-devel rpms, then I can assign new role to
linux user!
Thank you for your reply.
>--
>Chris PeBenito
>Tresys Technology, LLC
>(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.
.
Save on Cell Phones. Click Now!
<http://tagline.bidsystem.com/fc/Ioyw36XI3zg0r88Ufuze522CunQ0TLsvGsoe3NR
nZgqp0aLqdGuBwL/>
<span id=m2wTl><p><font face="Arial, Helvetica, sans-serif" size="2" style="font-size:13.5px">_______________________________________________________________<BR>Get the FREE email that has everyone talking at <a href=http://www.mail2world.com target=new>http://www.mail2world.com</a><br> <font color=#999999>Unlimited Email Storage – POP3 – Calendar – SMS – Translator – Much More!</font></font></span>
[-- Attachment #2: Type: text/html, Size: 3135 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2008-03-31 15:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-03-30 16:58 RBAC in RHEL5 Takesi satoh
2008-03-31 12:56 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2008-03-31 15:45 Takesi satoh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.