Wrong context for user

Wrong context for user

[c.r.madhusudhanan]

[-- Attachment #1: Type: text/plain, Size: 481 bytes --]

Hi All,


I have meego configured with SELinux refpolicy. I have enabled SELinux user
to linux user mapping, and though it shows correct selinux user and selinux
role,
the domain/type appears to be wrong.

For example, when I login linux user "meego", and say ps -Z, it shows me,

user_u:user_r:insmod_t          773   tty1   00:00:00 bash
user_u:user_r:insmod_t          795   tty1   00:00:00 ps

where I expect this has to be user_u:user_r:user_t, any pointers?


Regards,
Madhu

[-- Attachment #2: Type: text/html, Size: 675 bytes --]

Re: Wrong context for user

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/24/2011 08:04 AM, c.r.madhusudhanan@gmail.com wrote:
> Hi All,
> 
> 
> I have meego configured with SELinux refpolicy. I have enabled SELinux
> user to linux user mapping, and though it shows correct selinux user and
> selinux role, 
> the domain/type appears to be wrong.
> 
> For example, when I login linux user "meego", and say ps -Z, it shows me,
> 
> user_u:user_r:insmod_t          773   tty1   00:00:00 bash
> user_u:user_r:insmod_t          795   tty1   00:00:00 ps
> 
> where I expect this has to be user_u:user_r:user_t, any pointers?
> 
> 
> Regards,
> Madhu
Most likely your login program is not running with the correct context.

ps -eZ | grep login
- --> Should be local_login_t
ps -eZ | grep sshd
- --> Should be sshd_t
ps -eZ | grep gdm
- --> Should be xdm_t

Usually login programs running as the wrong context need to be
relabeled.  touch /.autorelabel; reboot
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4EiN4ACgkQrlYvE4MpobMTewCg6FBaXsxZaJ/veVWbiqfeS38m
B2gAoM1iOR3Dd9fjoyDHM6NFDve09VB8
=Xrpt
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Wrong context for user

[Stephen Smalley]

On Fri, 2011-06-24 at 08:04 -0400, c.r.madhusudhanan@gmail.com wrote:
> Hi All,
> 
> 
> 
> 
> I have meego configured with SELinux refpolicy. I have enabled SELinux
> user to linux user mapping, and though it shows correct selinux user
> and selinux role, 
> the domain/type appears to be wrong.
> 
> 
> For example, when I login linux user "meego", and say ps -Z, it shows
> me,
> 
> 
> user_u:user_r:insmod_t          773   tty1   00:00:00 bash
> user_u:user_r:insmod_t          795   tty1   00:00:00 ps
> 
> 
> where I expect this has to be user_u:user_r:user_t, any pointers?

Please provide your entire ps -Z output, or at least show the entire
ancestry of these processes (in particular the context of the login or
ssh process that spawned them).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Wrong context for user

[c.r.madhusudhanan]

[-- Attachment #1.1: Type: text/plain, Size: 1407 bytes --]

Hello  Daniel, Stephen,

Thanks for the quick reply.

Yes it looks login runs in the wrong context, system_u:system_r:kernel_t and
most of the processes are.

I am loading selinux policies from init, so I would expect all daemons
should show their respective contexts.

Attached is the "ps -aeZ" output.

BTW, when I do "run_init /etc/init.d/sshd restart" the context changes from
"system_u:system_r:kernel_t" to  "system_u:system_r:initrc_t" but not to
sshd_t.

Regards,
Madhu




On Fri, Jun 24, 2011 at 12:57 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Fri, 2011-06-24 at 08:04 -0400, c.r.madhusudhanan@gmail.com wrote:
> > Hi All,
> >
> >
> >
> >
> > I have meego configured with SELinux refpolicy. I have enabled SELinux
> > user to linux user mapping, and though it shows correct selinux user
> > and selinux role,
> > the domain/type appears to be wrong.
> >
> >
> > For example, when I login linux user "meego", and say ps -Z, it shows
> > me,
> >
> >
> > user_u:user_r:insmod_t          773   tty1   00:00:00 bash
> > user_u:user_r:insmod_t          795   tty1   00:00:00 ps
> >
> >
> > where I expect this has to be user_u:user_r:user_t, any pointers?
>
> Please provide your entire ps -Z output, or at least show the entire
> ancestry of these processes (in particular the context of the login or
> ssh process that spawned them).
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #1.2: Type: text/html, Size: 2073 bytes --]

[-- Attachment #2: ps_output.txt --]
[-- Type: text/plain, Size: 8979 bytes --]

LABEL                             PID TTY          TIME CMD
system_u:system_r:kernel_t          1 ?        00:00:08 init
system_u:system_r:kernel_t          2 ?        00:00:00 kthreadd
system_u:system_r:kernel_t          3 ?        00:00:00 ksoftirqd/0
system_u:system_r:kernel_t          4 ?        00:00:00 migration/0
system_u:system_r:kernel_t          5 ?        00:00:00 watchdog/0
system_u:system_r:kernel_t          6 ?        00:00:00 migration/1
system_u:system_r:kernel_t          7 ?        00:00:00 ksoftirqd/1
system_u:system_r:kernel_t          8 ?        00:00:00 watchdog/1
system_u:system_r:kernel_t          9 ?        00:00:00 migration/2
system_u:system_r:kernel_t         10 ?        00:00:00 ksoftirqd/2
system_u:system_r:kernel_t         11 ?        00:00:00 watchdog/2
system_u:system_r:kernel_t         12 ?        00:00:00 migration/3
system_u:system_r:kernel_t         13 ?        00:00:00 ksoftirqd/3
system_u:system_r:kernel_t         14 ?        00:00:00 watchdog/3
system_u:system_r:kernel_t         15 ?        00:00:00 events/0
system_u:system_r:kernel_t         16 ?        00:00:00 events/1
system_u:system_r:kernel_t         17 ?        00:00:00 events/2
system_u:system_r:kernel_t         18 ?        00:00:01 events/3
system_u:system_r:kernel_t         19 ?        00:00:00 cpuset
system_u:system_r:kernel_t         20 ?        00:00:00 khelper
system_u:system_r:kernel_t         21 ?        00:00:00 async/mgr
system_u:system_r:kernel_t         22 ?        00:00:00 pm
system_u:system_r:kernel_t         23 ?        00:00:00 sync_supers
system_u:system_r:kernel_t         24 ?        00:00:00 bdi-default
system_u:system_r:kernel_t         25 ?        00:00:00 kblockd/0
system_u:system_r:kernel_t         26 ?        00:00:00 kblockd/1
system_u:system_r:kernel_t         27 ?        00:00:00 kblockd/2
system_u:system_r:kernel_t         28 ?        00:00:00 kblockd/3
system_u:system_r:kernel_t         29 ?        00:00:00 kacpid
system_u:system_r:kernel_t         30 ?        00:00:00 kacpi_notify
system_u:system_r:kernel_t         31 ?        00:00:00 kacpi_hotplug
system_u:system_r:kernel_t         32 ?        00:00:00 ata_aux
system_u:system_r:kernel_t         33 ?        00:00:00 ata_sff/0
system_u:system_r:kernel_t         34 ?        00:00:00 ata_sff/1
system_u:system_r:kernel_t         35 ?        00:00:00 ata_sff/2
system_u:system_r:kernel_t         36 ?        00:00:00 ata_sff/3
system_u:system_r:kernel_t         37 ?        00:00:00 khubd
system_u:system_r:kernel_t         38 ?        00:00:00 kseriod
system_u:system_r:kernel_t         39 ?        00:00:00 kmmcd
system_u:system_r:kernel_t         40 ?        00:00:00 cfg80211
system_u:system_r:kernel_t         41 ?        00:00:00 kondemand/0
system_u:system_r:kernel_t         42 ?        00:00:00 kondemand/1
system_u:system_r:kernel_t         43 ?        00:00:00 kondemand/2
system_u:system_r:kernel_t         44 ?        00:00:00 kondemand/3
system_u:system_r:kernel_t         45 ?        00:00:00 kswapd0
system_u:system_r:kernel_t         46 ?        00:00:00 aio/0
system_u:system_r:kernel_t         47 ?        00:00:00 aio/1
system_u:system_r:kernel_t         48 ?        00:00:00 aio/2
system_u:system_r:kernel_t         49 ?        00:00:00 aio/3
system_u:system_r:kernel_t         50 ?        00:00:00 crypto/0
system_u:system_r:kernel_t         51 ?        00:00:00 crypto/1
system_u:system_r:kernel_t         52 ?        00:00:00 crypto/2
system_u:system_r:kernel_t         53 ?        00:00:00 crypto/3
system_u:system_r:kernel_t         61 ?        00:00:00 i915
system_u:system_r:kernel_t         62 ?        00:00:00 kslowd000
system_u:system_r:kernel_t         63 ?        00:00:00 kslowd001
system_u:system_r:kernel_t         64 ?        00:00:00 scsi_eh_0
system_u:system_r:kernel_t         65 ?        00:00:00 scsi_eh_1
system_u:system_r:kernel_t         68 ?        00:00:00 scsi_eh_2
system_u:system_r:kernel_t         69 ?        00:00:00 scsi_eh_3
system_u:system_r:kernel_t         70 ?        00:00:00 smflush
system_u:system_r:kernel_t         71 ?        00:00:00 kpsmoused
system_u:system_r:kernel_t         72 ?        00:00:00 usbhid_resumer
system_u:system_r:kernel_t         73 ?        00:00:00 l2cap
system_u:system_r:kernel_t         74 ?        00:00:00 krfcommd
system_u:system_r:kernel_t         76 ?        00:00:00 btrfs-worker-0
system_u:system_r:kernel_t         77 ?        00:00:00 btrfs-genwork-0
system_u:system_r:kernel_t         78 ?        00:00:00 btrfs-submit-0
system_u:system_r:kernel_t         79 ?        00:00:00 btrfs-delalloc-
system_u:system_r:kernel_t         80 ?        00:00:00 btrfs-fixup-0
system_u:system_r:kernel_t         81 ?        00:00:00 btrfs-endio-0
system_u:system_r:kernel_t         83 ?        00:00:00 btrfs-endio-met
system_u:system_r:kernel_t         84 ?        00:00:00 btrfs-endio-wri
system_u:system_r:kernel_t         85 ?        00:00:00 btrfs-cleaner
system_u:system_r:kernel_t         86 ?        00:00:00 btrfs-transacti
system_u:system_r:kernel_t        117 ?        00:00:00 udevd
system_u:system_r:kernel_t        322 ?        00:00:00 hd-audio0
system_u:system_r:kernel_t        340 ?        00:00:00 kjournald
system_u:system_r:kernel_t        359 ?        00:00:00 flush-btrfs-1
system_u:system_r:kernel_t        361 ?        00:00:00 dbus-daemon
system_u:system_r:kernel_t        377 ?        00:00:00 connmand
system_u:system_r:kernel_t        381 ?        00:00:00 wpa_supplicant
system_u:system_r:kernel_t        382 ?        00:00:00 syslogd
system_u:system_r:kernel_t        386 ?        00:00:00 auditd
system_u:system_r:kernel_t        389 ?        00:00:00 kauditd
system_u:system_r:kernel_t        393 ?        00:00:00 klogd
system_u:system_r:kernel_t        409 ?        00:00:00 dsme
system_u:system_r:kernel_t        412 ?        00:00:00 dsme-server
system_u:system_r:kernel_t        420 ?        00:00:00 S50sensord
system_u:system_r:kernel_t        422 ?        00:00:00 bash
system_u:system_r:kernel_t        423 ?        00:00:00 sensord
system_u:system_r:kernel_t        425 ?        00:00:00 timed
system_u:system_r:kernel_t        433 ?        00:00:01 avahi-daemon
system_u:system_r:kernel_t        434 ?        00:00:00 avahi-daemon
system_u:system_r:kernel_t        436 ?        00:00:00 sshd
system_u:system_r:kernel_t        442 ?        00:00:00 ofonod
system_u:system_r:kernel_t        446 ?        00:00:00 bluetoothd
system_u:system_r:kernel_t        456 ?        00:00:00 uxlaunch
system_u:system_r:kernel_t        460 ?        00:00:00 uxlaunch
user_u:user_r:insmod_t            480 tty2     00:00:15 Xorg
user_u:user_r:insmod_t            483 ?        00:00:00 ssh-agent
system_u:system_r:kernel_t        485 ?        00:00:00 console-kit-dae
user_u:user_r:insmod_t            553 ?        00:00:00 dbus-daemon
user_u:user_r:insmod_t            556 ?        00:00:00 gconfd-2
user_u:user_r:insmod_t            559 ?        00:00:00 startivi
user_u:user_r:insmod_t            566 ?        00:00:00 msyncd
user_u:user_r:insmod_t            568 ?        00:00:00 udiskie
user_u:user_r:insmod_t            570 ?        00:00:00 obex-client
user_u:user_r:insmod_t            571 ?        00:00:00 corewatcher-app
user_u:user_r:insmod_t            572 ?        00:00:00 tracker-miner-f
user_u:user_r:insmod_t            573 ?        00:00:00 gpk-update-icon
user_u:user_r:insmod_t            575 ?        00:00:00 matchbox-window
user_u:user_r:insmod_t            576 ?        00:00:00 ividesktop
user_u:user_r:insmod_t            578 ?        00:00:12 ivihome
user_u:user_r:insmod_t            586 ?        00:00:00 pulseaudio
user_u:user_r:insmod_t            594 ?        00:00:00 festival
system_u:system_r:kernel_t        597 ?        00:00:00 udisks-daemon
system_u:system_r:kernel_t        598 ?        00:00:00 udisks-daemon
system_u:system_r:kernel_t        633 ?        00:00:00 login
root:staff_r:insmod_t             637 tty1     00:00:00 bash
system_u:system_r:kernel_t        657 ?        00:00:00 udevd
system_u:system_r:kernel_t        658 ?        00:00:00 udevd
user_u:user_r:insmod_t            668 ?        00:00:00 tracker-store
user_u:user_r:insmod_t            671 ?        00:00:00 tumblerd
system_u:system_r:kernel_t        684 ?        00:00:00 upowerd
system_u:system_r:kernel_t        700 ?        00:00:00 polkitd
system_u:system_r:kernel_t        765 ?        00:00:00 btrfs-endio-met
user_u:user_r:insmod_t            906 ?        00:00:00 xterm
user_u:user_r:insmod_t            909 pts/0    00:00:00 bash
system_u:system_r:kernel_t        937 ?        00:00:00 btrfs-endio-wri
user_u:user_r:insmod_t            958 pts/0    00:00:53 firefox-bin
system_u:system_r:kernel_t        974 ?        00:00:00 btrfs-endio-met
user_u:user_r:insmod_t            994 ?        00:00:00 xterm
user_u:user_r:insmod_t            996 pts/1    00:00:00 bash
user_u:user_r:insmod_t           1012 pts/1    00:00:00 ps

Re: Wrong context for user

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/24/2011 09:44 AM, c.r.madhusudhanan@gmail.com wrote:
> Hello  Daniel, Stephen,
> 
> Thanks for the quick reply.
> 
> Yes it looks login runs in the wrong context, system_u:system_r:kernel_t
> and most of the processes are.
> 
> I am loading selinux policies from init, so I would expect all daemons
> should show their respective contexts.
> 
You have got to get init to run as init_t to make this all work
correctly.  If you load policy in the init process then you should rexec
it should change its context to system_u:system_r:init_t:s0, or else the
rest of the transitions will not happen correctly.
> Attached is the "ps -aeZ" output.
> 
> BTW, when I do "run_init /etc/init.d/sshd restart" the context changes from 
> "system_u:system_r:kernel_t" to  "system_u:system_r:initrc_t" but not to
> sshd_t.
> 
This means sshd is not labeled sshd_exec_t.
> Regards,
> Madhu
> 
> 
> 
> 
> On Fri, Jun 24, 2011 at 12:57 PM, Stephen Smalley <sds@tycho.nsa.gov
> <mailto:sds@tycho.nsa.gov>> wrote:
> 
>     On Fri, 2011-06-24 at 08:04 -0400, c.r.madhusudhanan@gmail.com
>     <mailto:c.r.madhusudhanan@gmail.com> wrote:
>     > Hi All,
>     >
>     >
>     >
>     >
>     > I have meego configured with SELinux refpolicy. I have enabled SELinux
>     > user to linux user mapping, and though it shows correct selinux user
>     > and selinux role,
>     > the domain/type appears to be wrong.
>     >
>     >
>     > For example, when I login linux user "meego", and say ps -Z, it shows
>     > me,
>     >
>     >
>     > user_u:user_r:insmod_t          773   tty1   00:00:00 bash
>     > user_u:user_r:insmod_t          795   tty1   00:00:00 ps
>     >
>     >
>     > where I expect this has to be user_u:user_r:user_t, any pointers?
> 
>     Please provide your entire ps -Z output, or at least show the entire
>     ancestry of these processes (in particular the context of the login or
>     ssh process that spawned them).
> 
>     --
>     Stephen Smalley
>     National Security Agency
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4El20ACgkQrlYvE4MpobP8rgCfXCOo3UZ6dWgk2qe2iy3S7qpL
WqwAoI982X9HrAXv3CClMcbGX2j6ly9a
=jf8Z
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Wrong context for user

[Stephen Smalley]

On Fri, 2011-06-24 at 09:44 -0400, c.r.madhusudhanan@gmail.com wrote:
> Hello  Daniel, Stephen,
> 
> Thanks for the quick reply.
> 
> Yes it looks login runs in the wrong context,
> system_u:system_r:kernel_t and most of the processes are. 
> 
> I am loading selinux policies from init, so I would expect all daemons
> should show their respective contexts.
> 
> Attached is the "ps -aeZ" output.
> 
> BTW, when I do "run_init /etc/init.d/sshd restart" the context changes
> from 
> "system_u:system_r:kernel_t" to  "system_u:system_r:initrc_t" but not
> to sshd_t.

Once policy is loaded, you have to make the first transition to init_t
for the init process.  That can be done in one of several ways:

- load policy before execing /sbin/init from the real root (e.g. from
initramfs), and then you'll transition naturally when you exec
the /sbin/init binary if the file is labeled init_exec_t.  I think we
did this when using upstart in Fedora to avoid modifying upstart itself.

- load policy from within /sbin/init and then re-exec yourself, using an
environment variable or argument to only do on the first invocation.
This is what the original patches to SysVinit did in Fedora (and I think
it is what systemd does too).

- load policy from init and invoke setcon() to dynamically switch to the
init context before proceeding.  Not preferred, but possible.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Wrong context for user

[c.r.madhusudhanan]

[-- Attachment #1.1: Type: text/plain, Size: 2123 bytes --]

Thanks Daniel, Stephen.

I am able to get init_t, local_login_t for init, and login respectively.
The mistake was tat I missed relabeling the file system, so all the
executable was in the type file_t.

But it looks my problem still remains somehow, so that when I try
login it still shows me wrong domain/type.

When I login using 'login' (tty1), the context shows as
user_u:user_r:chkpwd_t and when I check in the X (auto login to user 'meego'
using 'uxlaunch') shows as user_u:user_r:consoletype_t.

Attached is the "ps -aeZ" after relabeling the system.

Regards,
Madhu

On Fri, Jun 24, 2011 at 2:11 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Fri, 2011-06-24 at 09:44 -0400, c.r.madhusudhanan@gmail.com wrote:
> > Hello  Daniel, Stephen,
> >
> > Thanks for the quick reply.
> >
> > Yes it looks login runs in the wrong context,
> > system_u:system_r:kernel_t and most of the processes are.
> >
> > I am loading selinux policies from init, so I would expect all daemons
> > should show their respective contexts.
> >
> > Attached is the "ps -aeZ" output.
> >
> > BTW, when I do "run_init /etc/init.d/sshd restart" the context changes
> > from
> > "system_u:system_r:kernel_t" to  "system_u:system_r:initrc_t" but not
> > to sshd_t.
>
> Once policy is loaded, you have to make the first transition to init_t
> for the init process.  That can be done in one of several ways:
>
> - load policy before execing /sbin/init from the real root (e.g. from
> initramfs), and then you'll transition naturally when you exec
> the /sbin/init binary if the file is labeled init_exec_t.  I think we
> did this when using upstart in Fedora to avoid modifying upstart itself.
>
> - load policy from within /sbin/init and then re-exec yourself, using an
> environment variable or argument to only do on the first invocation.
> This is what the original patches to SysVinit did in Fedora (and I think
> it is what systemd does too).
>
> - load policy from init and invoke setcon() to dynamically switch to the
> init context before proceeding.  Not preferred, but possible.
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #1.2: Type: text/html, Size: 2788 bytes --]

[-- Attachment #2: ps_output2.txt --]
[-- Type: text/plain, Size: 9394 bytes --]

LABEL                             PID TTY          TIME CMD
system_u:system_r:init_t            1 ?        00:00:04 init
system_u:system_r:kernel_t          2 ?        00:00:00 kthreadd
system_u:system_r:kernel_t          3 ?        00:00:00 ksoftirqd/0
system_u:system_r:kernel_t          4 ?        00:00:00 migration/0
system_u:system_r:kernel_t          5 ?        00:00:00 watchdog/0
system_u:system_r:kernel_t          6 ?        00:00:00 migration/1
system_u:system_r:kernel_t          7 ?        00:00:00 ksoftirqd/1
system_u:system_r:kernel_t          8 ?        00:00:00 watchdog/1
system_u:system_r:kernel_t          9 ?        00:00:00 migration/2
system_u:system_r:kernel_t         10 ?        00:00:00 ksoftirqd/2
system_u:system_r:kernel_t         11 ?        00:00:00 watchdog/2
system_u:system_r:kernel_t         12 ?        00:00:00 migration/3
system_u:system_r:kernel_t         13 ?        00:00:00 ksoftirqd/3
system_u:system_r:kernel_t         14 ?        00:00:00 watchdog/3
system_u:system_r:kernel_t         15 ?        00:00:00 events/0
system_u:system_r:kernel_t         16 ?        00:00:00 events/1
system_u:system_r:kernel_t         17 ?        00:00:00 events/2
system_u:system_r:kernel_t         18 ?        00:00:00 events/3
system_u:system_r:kernel_t         19 ?        00:00:00 cpuset
system_u:system_r:kernel_t         20 ?        00:00:00 khelper
system_u:system_r:kernel_t         21 ?        00:00:00 async/mgr
system_u:system_r:kernel_t         22 ?        00:00:00 pm
system_u:system_r:kernel_t         23 ?        00:00:00 sync_supers
system_u:system_r:kernel_t         24 ?        00:00:00 bdi-default
system_u:system_r:kernel_t         25 ?        00:00:00 kblockd/0
system_u:system_r:kernel_t         26 ?        00:00:00 kblockd/1
system_u:system_r:kernel_t         27 ?        00:00:00 kblockd/2
system_u:system_r:kernel_t         28 ?        00:00:00 kblockd/3
system_u:system_r:kernel_t         29 ?        00:00:00 kacpid
system_u:system_r:kernel_t         30 ?        00:00:00 kacpi_notify
system_u:system_r:kernel_t         31 ?        00:00:00 kacpi_hotplug
system_u:system_r:kernel_t         32 ?        00:00:00 ata_aux
system_u:system_r:kernel_t         33 ?        00:00:00 ata_sff/0
system_u:system_r:kernel_t         34 ?        00:00:00 ata_sff/1
system_u:system_r:kernel_t         35 ?        00:00:00 ata_sff/2
system_u:system_r:kernel_t         36 ?        00:00:00 ata_sff/3
system_u:system_r:kernel_t         37 ?        00:00:00 khubd
system_u:system_r:kernel_t         38 ?        00:00:00 kseriod
system_u:system_r:kernel_t         39 ?        00:00:00 kmmcd
system_u:system_r:kernel_t         40 ?        00:00:00 cfg80211
system_u:system_r:kernel_t         41 ?        00:00:00 kondemand/0
system_u:system_r:kernel_t         42 ?        00:00:00 kondemand/1
system_u:system_r:kernel_t         43 ?        00:00:00 kondemand/2
system_u:system_r:kernel_t         44 ?        00:00:00 kondemand/3
system_u:system_r:kernel_t         45 ?        00:00:00 kswapd0
system_u:system_r:kernel_t         46 ?        00:00:00 aio/0
system_u:system_r:kernel_t         47 ?        00:00:00 aio/1
system_u:system_r:kernel_t         48 ?        00:00:00 aio/2
system_u:system_r:kernel_t         49 ?        00:00:00 aio/3
system_u:system_r:kernel_t         50 ?        00:00:00 crypto/0
system_u:system_r:kernel_t         51 ?        00:00:00 crypto/1
system_u:system_r:kernel_t         52 ?        00:00:00 crypto/2
system_u:system_r:kernel_t         53 ?        00:00:00 crypto/3
system_u:system_r:kernel_t         61 ?        00:00:00 i915
system_u:system_r:kernel_t         62 ?        00:00:00 kslowd000
system_u:system_r:kernel_t         63 ?        00:00:00 kslowd001
system_u:system_r:kernel_t         64 ?        00:00:00 scsi_eh_0
system_u:system_r:kernel_t         65 ?        00:00:00 scsi_eh_1
system_u:system_r:kernel_t         68 ?        00:00:00 scsi_eh_2
system_u:system_r:kernel_t         69 ?        00:00:00 scsi_eh_3
system_u:system_r:kernel_t         70 ?        00:00:00 smflush
system_u:system_r:kernel_t         71 ?        00:00:00 kpsmoused
system_u:system_r:kernel_t         72 ?        00:00:00 usbhid_resumer
system_u:system_r:kernel_t         73 ?        00:00:00 l2cap
system_u:system_r:kernel_t         74 ?        00:00:00 krfcommd
system_u:system_r:kernel_t         76 ?        00:00:00 btrfs-worker-0
system_u:system_r:kernel_t         77 ?        00:00:00 btrfs-genwork-0
system_u:system_r:kernel_t         78 ?        00:00:00 btrfs-submit-0
system_u:system_r:kernel_t         79 ?        00:00:00 btrfs-delalloc-
system_u:system_r:kernel_t         80 ?        00:00:00 btrfs-fixup-0
system_u:system_r:kernel_t         82 ?        00:00:00 btrfs-endio-met
system_u:system_r:kernel_t         83 ?        00:00:00 btrfs-endio-met
system_u:system_r:kernel_t         85 ?        00:00:00 btrfs-cleaner
system_u:system_r:kernel_t         86 ?        00:00:00 btrfs-transacti
system_u:system_r:kernel_t         87 ?        00:00:00 btrfs-endio-met
system_u:system_r:udev_t          118 ?        00:00:00 udevd
system_u:system_r:kernel_t        304 ?        00:00:00 btrfs-endio-1
system_u:system_r:kernel_t        343 ?        00:00:00 hd-audio0
system_u:system_r:kernel_t        349 ?        00:00:00 kjournald
system_u:system_r:kernel_t        364 ?        00:00:00 flush-btrfs-1
system_u:system_r:system_dbusd_t  373 ?        00:00:00 dbus-daemon
system_u:system_r:initrc_t        389 ?        00:00:00 connmand
system_u:system_r:syslogd_t       392 ?        00:00:00 syslogd
system_u:system_r:NetworkManager_t 397 ?       00:00:00 wpa_supplicant
system_u:system_r:klogd_t         398 ?        00:00:00 klogd
system_u:system_r:auditd_t        404 ?        00:00:00 auditd
system_u:system_r:kernel_t        407 ?        00:00:00 kauditd
system_u:system_r:initrc_t        422 ?        00:00:00 dsme
system_u:system_r:initrc_t        427 ?        00:00:00 dsme-server
system_u:system_r:initrc_t        430 ?        00:00:00 S50sensord
system_u:system_r:initrc_t        432 ?        00:00:00 bash
system_u:system_r:initrc_t        434 ?        00:00:00 sensord
system_u:system_r:initrc_t        435 ?        00:00:00 timed
system_u:system_r:sshd_t          445 ?        00:00:00 sshd
system_u:system_r:avahi_t         452 ?        00:00:00 avahi-daemon
system_u:system_r:avahi_t         453 ?        00:00:00 avahi-daemon
system_u:system_r:init_t          462 ?        00:00:00 uxlaunch
system_u:system_r:initrc_t        464 ?        00:00:00 ofonod
system_u:system_r:bluetooth_t     466 ?        00:00:00 bluetoothd
system_u:system_r:init_t          471 ?        00:00:00 uxlaunch
user_u:user_r:consoletype_t       491 tty2     00:00:04 Xorg
user_u:user_r:consoletype_t       494 ?        00:00:00 ssh-agent
system_u:system_r:consolekit_t    496 ?        00:00:00 console-kit-dae
user_u:user_r:consoletype_t       564 ?        00:00:00 dbus-daemon
user_u:user_r:consoletype_t       567 ?        00:00:00 gconfd-2
user_u:user_r:consoletype_t       570 ?        00:00:00 startivi
user_u:user_r:consoletype_t       578 ?        00:00:00 msyncd
user_u:user_r:consoletype_t       580 ?        00:00:00 udiskie
user_u:user_r:consoletype_t       582 ?        00:00:00 obex-client
user_u:user_r:consoletype_t       583 ?        00:00:00 corewatcher-app
user_u:user_r:consoletype_t       584 ?        00:00:00 matchbox-window
user_u:user_r:consoletype_t       585 ?        00:00:00 ividesktop
user_u:user_r:consoletype_t       587 ?        00:00:00 tracker-miner-f
user_u:user_r:consoletype_t       588 ?        00:00:00 gpk-update-icon
user_u:user_r:consoletype_t       589 ?        00:00:09 ivihome
user_u:user_r:consoletype_t       598 ?        00:00:00 pulseaudio
user_u:user_r:consoletype_t       604 ?        00:00:00 festival
system_u:system_r:devicekit_disk_t 613 ?       00:00:00 udisks-daemon
system_u:system_r:devicekit_disk_t 616 ?       00:00:00 udisks-daemon
user_u:user_r:consoletype_t       625 ?        00:00:00 xterm
user_u:user_r:consoletype_t       629 pts/0    00:00:00 bash
system_u:system_r:kernel_t        647 ?        00:00:00 btrfs-worker-1
system_u:system_r:kernel_t        648 ?        00:00:00 btrfs-worker-2
system_u:system_r:kernel_t        699 ?        00:00:00 btrfs-endio-wri
system_u:system_r:kernel_t        700 ?        00:00:00 btrfs-endio-wri
system_u:system_r:udev_t          704 ?        00:00:00 udevd
system_u:system_r:udev_t          705 ?        00:00:00 udevd
user_u:user_r:consoletype_t       716 ?        00:00:00 tracker-store
user_u:user_r:consoletype_t       719 ?        00:00:00 tumblerd
system_u:system_r:system_dbusd_t  861 ?        00:00:00 packagekitd
system_u:system_r:devicekit_power_t 863 ?      00:00:00 upowerd
system_u:system_r:system_dbusd_t  880 ?        00:00:00 polkitd
system_u:system_r:local_login_t   926 ?        00:00:00 login
user_u:user_r:chkpwd_t            930 tty1     00:00:00 bash
system_u:system_r:kernel_t        959 ?        00:00:00 btrfs-endio-met
user_u:user_r:consoletype_t       970 pts/0    00:00:18 firefox-bin
user_u:user_r:consoletype_t      1009 ?        00:00:00 xterm
user_u:user_r:consoletype_t      1011 pts/1    00:00:00 bash
user_u:user_r:consoletype_t      1025 pts/1    00:00:00 bash
system_u:system_r:kernel_t       1044 ?        00:00:00 btrfs-endio-wri
user_u:user_r:consoletype_t      1046 pts/1    00:00:00 ps

Re: Wrong context for user

[Stephen Smalley]

On Fri, 2011-06-24 at 14:44 +0000, c.r.madhusudhanan@gmail.com wrote:
> Thanks Daniel, Stephen.
> 
> I am able to get init_t, local_login_t for init, and login
> respectively. 
> The mistake was tat I missed relabeling the file system, so all the
> executable was in the type file_t.
> 
> But it looks my problem still remains somehow, so that when I try
> login it still shows me wrong domain/type.
> 
> When I login using 'login' (tty1), the context shows as
> user_u:user_r:chkpwd_t and when I check in the X (auto login to user
> 'meego' using 'uxlaunch') shows as user_u:user_r:consoletype_t.
> 
> Attached is the "ps -aeZ" after relabeling the system.

What does your default_contexts file contain?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Wrong context for user

[c.r.madhusudhanan]

[-- Attachment #1.1: Type: text/plain, Size: 915 bytes --]

attached for your reference.


Regards,
Madhu

On Fri, Jun 24, 2011 at 2:48 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Fri, 2011-06-24 at 14:44 +0000, c.r.madhusudhanan@gmail.com wrote:
> > Thanks Daniel, Stephen.
> >
> > I am able to get init_t, local_login_t for init, and login
> > respectively.
> > The mistake was tat I missed relabeling the file system, so all the
> > executable was in the type file_t.
> >
> > But it looks my problem still remains somehow, so that when I try
> > login it still shows me wrong domain/type.
> >
> > When I login using 'login' (tty1), the context shows as
> > user_u:user_r:chkpwd_t and when I check in the X (auto login to user
> > 'meego' using 'uxlaunch') shows as user_u:user_r:consoletype_t.
> >
> > Attached is the "ps -aeZ" after relabeling the system.
>
> What does your default_contexts file contain?
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #1.2: Type: text/html, Size: 1427 bytes --]

[-- Attachment #2: seusers --]
[-- Type: application/octet-stream, Size: 47 bytes --]

system_u:system_u
root:root
__default__:user_u

[-- Attachment #3: default_contexts --]
[-- Type: application/octet-stream, Size: 875 bytes --]

system_r:crond_t	user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t
system_r:local_login_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
system_r:remote_login_t	user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
system_r:sshd_t		user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
system_r:sulogin_t	sysadm_r:sysadm_t
system_r:xdm_t		user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t

staff_r:staff_su_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
staff_r:staff_sudo_t	sysadm_r:sysadm_t staff_r:staff_t

sysadm_r:sysadm_su_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
sysadm_r:sysadm_sudo_t	sysadm_r:sysadm_t

user_r:user_su_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
user_r:user_sudo_t	sysadm_r:sysadm_t user_r:user_t

Re: Wrong context for user

[Stephen Smalley]

On Fri, 2011-06-24 at 14:52 +0000, c.r.madhusudhanan@gmail.com wrote:
> attached for your reference.

What do the libselinux/utils say, e.g.:
cd libselinux/utils
./getconlist user_u system_u:system_r:local_login_t
./getseuser root system_u:system_r:local_login_t

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Wrong context for user

[c.r.madhusudhanan]

[-- Attachment #1: Type: text/plain, Size: 874 bytes --]

[root@localhost utils]# ./getconlist user_u
user_u:user_r:consoletype_t
[root@localhost utils]# ./getconlist root
root:sysadm_r:sysadm_t

[root@localhost utils]# ./getseuser meego
seuser:  user_u, level (null)
Context 0       user_u:user_r:consoletype_t
[root@localhost utils]# ./getseuser root
seuser:  root, level (null)
Context 0       root:sysadm_r:sysadm_t
(I dont know but the getseuser dint work until I changed the code
 if (argc != 2). )

Regards
Madhu.


On Fri, Jun 24, 2011 at 3:09 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Fri, 2011-06-24 at 14:52 +0000, c.r.madhusudhanan@gmail.com wrote:
> > attached for your reference.
>
> What do the libselinux/utils say, e.g.:
> cd libselinux/utils
> ./getconlist user_u system_u:system_r:local_login_t
> ./getseuser root system_u:system_r:local_login_t
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #2: Type: text/html, Size: 1371 bytes --]

Re: Wrong context for user

[Sam Gandhi]

On Fri, Jun 24, 2011 at 8:50 AM, c.r.madhusudhanan@gmail.com
<c.r.madhusudhanan@gmail.com> wrote:
> [root@localhost utils]# ./getconlist user_u
> user_u:user_r:consoletype_t
> [root@localhost utils]# ./getconlist root
> root:sysadm_r:sysadm_t
>
> [root@localhost utils]# ./getseuser meego
> seuser:  user_u, level (null)
> Context 0       user_u:user_r:consoletype_t
> [root@localhost utils]# ./getseuser root
> seuser:  root, level (null)
> Context 0       root:sysadm_r:sysadm_t
> (I dont know but the getseuser dint work until I changed the code
>  if (argc != 2). )
>

My guess it is picking up the context from
/etc/selinux/<context>/contexts/failsafe_context file.
Does your failsafe_context file have string  system_r:unconfined_t in
it. For experimental purpose if you change it to system_r:initrc_t you
will notice that your login session has context of
root:system_r:initrc_t

Now I don't know SELinux well enough to know if changing the
failsafe_context file is correct thing to do. You could run getseuser
through strace and see all the configuration files it examines.

One thing you will notice is SELinux user libraries read & write
various files in /selinux/ but I haven't found  description of how the
interface for /selinux/XXX is supposed to work


> On Fri, Jun 24, 2011 at 3:09 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>
>> On Fri, 2011-06-24 at 14:52 +0000, c.r.madhusudhanan@gmail.com wrote:
>> > attached for your reference.
>>
>> What do the libselinux/utils say, e.g.:
>> cd libselinux/utils
>> ./getconlist user_u system_u:system_r:local_login_t
>> ./getseuser root system_u:system_r:local_login_t
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>
>

-Sam

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Wrong context for user

[c.r.madhusudhanan]

[-- Attachment #1: Type: text/plain, Size: 2106 bytes --]

Hi Sam,

Sorry I couldnt reply you earlier, and the issue still remains,

I checked failsafe_context, and it was 'sysadm_r:syadm_t' and when I changed
to
'system_r:initrc_t' as you said, it dint have any effect.


Regards,
Madhu

On Fri, Jun 24, 2011 at 5:26 PM, Sam Gandhi <samgandhi9@gmail.com> wrote:

> On Fri, Jun 24, 2011 at 8:50 AM, c.r.madhusudhanan@gmail.com
> <c.r.madhusudhanan@gmail.com> wrote:
> > [root@localhost utils]# ./getconlist user_u
> > user_u:user_r:consoletype_t
> > [root@localhost utils]# ./getconlist root
> > root:sysadm_r:sysadm_t
> >
> > [root@localhost utils]# ./getseuser meego
> > seuser:  user_u, level (null)
> > Context 0       user_u:user_r:consoletype_t
> > [root@localhost utils]# ./getseuser root
> > seuser:  root, level (null)
> > Context 0       root:sysadm_r:sysadm_t
> > (I dont know but the getseuser dint work until I changed the code
> >  if (argc != 2). )
> >
>
> My guess it is picking up the context from
> /etc/selinux/<context>/contexts/failsafe_context file.
> Does your failsafe_context file have string  system_r:unconfined_t in
> it. For experimental purpose if you change it to system_r:initrc_t you
> will notice that your login session has context of
> root:system_r:initrc_t
>
> Now I don't know SELinux well enough to know if changing the
> failsafe_context file is correct thing to do. You could run getseuser
> through strace and see all the configuration files it examines.
>
> One thing you will notice is SELinux user libraries read & write
> various files in /selinux/ but I haven't found  description of how the
> interface for /selinux/XXX is supposed to work
>
>
> > On Fri, Jun 24, 2011 at 3:09 PM, Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
> >>
> >> On Fri, 2011-06-24 at 14:52 +0000, c.r.madhusudhanan@gmail.com wrote:
> >> > attached for your reference.
> >>
> >> What do the libselinux/utils say, e.g.:
> >> cd libselinux/utils
> >> ./getconlist user_u system_u:system_r:local_login_t
> >> ./getseuser root system_u:system_r:local_login_t
> >>
> >> --
> >> Stephen Smalley
> >> National Security Agency
> >>
> >
> >
>
> -Sam
>

[-- Attachment #2: Type: text/html, Size: 3148 bytes --]

Re: Wrong context for user

[Stephen Smalley]

On Fri, 2011-06-24 at 15:50 +0000, c.r.madhusudhanan@gmail.com wrote:
> [root@localhost utils]# ./getconlist user_u 
> user_u:user_r:consoletype_t
> [root@localhost utils]# ./getconlist root
> root:sysadm_r:sysadm_t
> 
> [root@localhost utils]# ./getseuser meego
> seuser:  user_u, level (null)
> Context 0       user_u:user_r:consoletype_t
> [root@localhost utils]# ./getseuser root
> seuser:  root, level (null)
> Context 0       root:sysadm_r:sysadm_t
> (I dont know but the getseuser dint work until I changed the code 
>  if (argc != 2). )

You aren't invoking them correctly - you need to pass the security
context of the login process as the second argument, as I showed.

For example, on Fedora, we have:
$ ./getconlist user_u system_u:system_r:local_login_t:s0
user_u:user_r:user_t:s0
$ ./getseuser root system_u:system_r:local_login_t:s0
$ ./getseuser root system_u:system_r:local_login_t:s0
seuser:  unconfined_u, level s0-s0:c0.c1023
Context 0	unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Omit the :s0 if you don't have MLS enabled in your policy.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Wrong context for user

[Stephen Smalley]

On Fri, 2011-07-01 at 09:23 -0400, Stephen Smalley wrote:
> On Fri, 2011-06-24 at 15:50 +0000, c.r.madhusudhanan@gmail.com wrote:
> > [root@localhost utils]# ./getconlist user_u 
> > user_u:user_r:consoletype_t
> > [root@localhost utils]# ./getconlist root
> > root:sysadm_r:sysadm_t
> > 
> > [root@localhost utils]# ./getseuser meego
> > seuser:  user_u, level (null)
> > Context 0       user_u:user_r:consoletype_t
> > [root@localhost utils]# ./getseuser root
> > seuser:  root, level (null)
> > Context 0       root:sysadm_r:sysadm_t
> > (I dont know but the getseuser dint work until I changed the code 
> >  if (argc != 2). )
> 
> You aren't invoking them correctly - you need to pass the security
> context of the login process as the second argument, as I showed.
> 
> For example, on Fedora, we have:
> $ ./getconlist user_u system_u:system_r:local_login_t:s0
> user_u:user_r:user_t:s0
> $ ./getseuser root system_u:system_r:local_login_t:s0
> $ ./getseuser root system_u:system_r:local_login_t:s0
> seuser:  unconfined_u, level s0-s0:c0.c1023
> Context 0	unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> 
> Omit the :s0 if you don't have MLS enabled in your policy.

BTW, debugging this kind of problem often requires a copy of your
entire /etc/selinux directory.

pstree -Z output might also be interesting.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Wrong context for user

[Stephen Smalley]

On Fri, 2011-06-24 at 14:44 +0000, c.r.madhusudhanan@gmail.com wrote:
> Thanks Daniel, Stephen.
> 
> I am able to get init_t, local_login_t for init, and login
> respectively. 
> The mistake was tat I missed relabeling the file system, so all the
> executable was in the type file_t.
> 
> But it looks my problem still remains somehow, so that when I try
> login it still shows me wrong domain/type.
> 
> When I login using 'login' (tty1), the context shows as
> user_u:user_r:chkpwd_t and when I check in the X (auto login to user
> 'meego' using 'uxlaunch') shows as user_u:user_r:consoletype_t.
> 
> Attached is the "ps -aeZ" after relabeling the system.

Going back to this ps output, I think you'll need some policy changes to
support MeeGo's uxlaunch approach to starting a user desktop.  You need
uxlaunch to transition into a domain suitable for user login like xdm_t
(used for gdm/xdm/kdm) rather than running in init_t or we won't get the
expected transitions for user domains.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Wrong context for user

[Stephen Smalley]

On Fri, 2011-07-01 at 09:56 -0400, Stephen Smalley wrote:
> On Fri, 2011-06-24 at 14:44 +0000, c.r.madhusudhanan@gmail.com wrote:
> > Thanks Daniel, Stephen.
> > 
> > I am able to get init_t, local_login_t for init, and login
> > respectively. 
> > The mistake was tat I missed relabeling the file system, so all the
> > executable was in the type file_t.
> > 
> > But it looks my problem still remains somehow, so that when I try
> > login it still shows me wrong domain/type.
> > 
> > When I login using 'login' (tty1), the context shows as
> > user_u:user_r:chkpwd_t and when I check in the X (auto login to user
> > 'meego' using 'uxlaunch') shows as user_u:user_r:consoletype_t.
> > 
> > Attached is the "ps -aeZ" after relabeling the system.
> 
> Going back to this ps output, I think you'll need some policy changes to
> support MeeGo's uxlaunch approach to starting a user desktop.  You need
> uxlaunch to transition into a domain suitable for user login like xdm_t
> (used for gdm/xdm/kdm) rather than running in init_t or we won't get the
> expected transitions for user domains.

And given that, you might want to take this conversation over to the
refpolicy list as it becomes a policy configuration issue for MeeGo.
http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Wrong context for user

[c.r.madhusudhanan]

[-- Attachment #1.1: Type: text/plain, Size: 1750 bytes --]

Hi Stephen,

Many thanks for your help. I am now able to get the correct user type
(user_t).

The problem I had was in the kernel, which was wrongly configured to use
policydb version 19.
When I changed to kernel config, I am able to login in the correct context.

Attached is the getconlist, getseuser for your reference, before and after
the kernel changes.

PS: this works for login (local_login_t), and for uxlaunch, as you said, I
am planning to have a policy transition.

Regards,
Madhu

On Fri, Jul 1, 2011 at 9:23 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Fri, 2011-06-24 at 15:50 +0000, c.r.madhusudhanan@gmail.com wrote:
> > [root@localhost utils]# ./getconlist user_u
> > user_u:user_r:consoletype_t
> > [root@localhost utils]# ./getconlist root
> > root:sysadm_r:sysadm_t
> >
> > [root@localhost utils]# ./getseuser meego
> > seuser:  user_u, level (null)
> > Context 0       user_u:user_r:consoletype_t
> > [root@localhost utils]# ./getseuser root
> > seuser:  root, level (null)
> > Context 0       root:sysadm_r:sysadm_t
> > (I dont know but the getseuser dint work until I changed the code
> >  if (argc != 2). )
>
> You aren't invoking them correctly - you need to pass the security
> context of the login process as the second argument, as I showed.
>
> For example, on Fedora, we have:
> $ ./getconlist user_u system_u:system_r:local_login_t:s0
> user_u:user_r:user_t:s0
> $ ./getseuser root system_u:system_r:local_login_t:s0
> $ ./getseuser root system_u:system_r:local_login_t:s0
> seuser:  unconfined_u, level s0-s0:c0.c1023
> Context 0       unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> Omit the :s0 if you don't have MLS enabled in your policy.
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #1.2: Type: text/html, Size: 2424 bytes --]

[-- Attachment #2: libsemanage_utils_output.txt --]
[-- Type: text/plain, Size: 1463 bytes --]

Wrong kernel option was:
-----------------------
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19

Before
------
[root@localhost utils]# ./getconlist root system_u:system_r:local_login_t
root:staff_r:chkpwd_t
root:staff_r:updpwd_t
root:sysadm_r:chkpwd_t
root:sysadm_r:updpwd_t
[root@localhost utils]# ./getconlist user_u system_u:system_r:local_login_t
user_u:user_r:chkpwd_t
user_u:user_r:updpwd_t
[root@localhost utils]# ./getseuser root system_u:system_r:local_login_t
seuser:  root, level (null)
Context 0       root:staff_r:chkpwd_t
Context 1       root:staff_r:updpwd_t
Context 2       root:sysadm_r:chkpwd_t
Context 3       root:sysadm_r:updpwd_t
[root@localhost utils]# ./getseuser user_u system_u:system_r:local_login_t
seuser:  user_u, level (null)
Context 0       user_u:user_r:chkpwd_t
Context 1       user_u:user_r:updpwd_t
[root@localhost utils]# 

After
-----
[root@localhost utils]# ./getconlist root system_u:system_r:local_login_t
root:sysadm_r:sysadm_t
root:staff_r:staff_t
[root@localhost utils]#  ./getconlist user_u system_u:system_r:local_login_t
user_u:user_r:user_t
[root@localhost utils]#  ./getseuser root system_u:system_r:local_login_t
seuser:  root, level (null)
Context 0       root:sysadm_r:sysadm_t
Context 1       root:staff_r:staff_t
[root@localhost utils]# ./getseuser user_u system_u:system_r:local_login_t
seuser:  user_u, level (null)
Context 0       user_u:user_r:user_t

Re: Wrong context for user

[c.r.madhusudhanan]

[-- Attachment #1: Type: text/plain, Size: 1267 bytes --]

On Fri, Jul 1, 2011 at 9:56 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Fri, 2011-06-24 at 14:44 +0000, c.r.madhusudhanan@gmail.com wrote:
> > Thanks Daniel, Stephen.
> >
> > I am able to get init_t, local_login_t for init, and login
> > respectively.
> > The mistake was tat I missed relabeling the file system, so all the
> > executable was in the type file_t.
> >
> > But it looks my problem still remains somehow, so that when I try
> > login it still shows me wrong domain/type.
> >
> > When I login using 'login' (tty1), the context shows as
> > user_u:user_r:chkpwd_t and when I check in the X (auto login to user
> > 'meego' using 'uxlaunch') shows as user_u:user_r:consoletype_t.
> >
> > Attached is the "ps -aeZ" after relabeling the system.
>
> Going back to this ps output, I think you'll need some policy changes to
> support MeeGo's uxlaunch approach to starting a user desktop.  You need
> uxlaunch to transition into a domain suitable for user login like xdm_t
> (used for gdm/xdm/kdm) rather than running in init_t or we won't get the
> expected transitions for user domains.
>
> Thanks for that, "setfilecon system_u:object_r:xdm_exec_t
/usr/sbin/uxlaunch"
solved context issue in X.


> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #2: Type: text/html, Size: 2071 bytes --]