* Wrong context for user @ 2011-06-24 12:04 c.r.madhusudhanan 2011-06-24 12:53 ` Daniel J Walsh 2011-06-24 12:57 ` Stephen Smalley 0 siblings, 2 replies; 19+ messages in thread From: c.r.madhusudhanan @ 2011-06-24 12:04 UTC (permalink / raw) To: SELinux [-- Attachment #1: Type: text/plain, Size: 481 bytes --] Hi All, I have meego configured with SELinux refpolicy. I have enabled SELinux user to linux user mapping, and though it shows correct selinux user and selinux role, the domain/type appears to be wrong. For example, when I login linux user "meego", and say ps -Z, it shows me, user_u:user_r:insmod_t 773 tty1 00:00:00 bash user_u:user_r:insmod_t 795 tty1 00:00:00 ps where I expect this has to be user_u:user_r:user_t, any pointers? Regards, Madhu [-- Attachment #2: Type: text/html, Size: 675 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 12:04 Wrong context for user c.r.madhusudhanan @ 2011-06-24 12:53 ` Daniel J Walsh 2011-06-24 12:57 ` Stephen Smalley 1 sibling, 0 replies; 19+ messages in thread From: Daniel J Walsh @ 2011-06-24 12:53 UTC (permalink / raw) To: c.r.madhusudhanan@gmail.com; +Cc: SELinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/24/2011 08:04 AM, c.r.madhusudhanan@gmail.com wrote: > Hi All, > > > I have meego configured with SELinux refpolicy. I have enabled SELinux > user to linux user mapping, and though it shows correct selinux user and > selinux role, > the domain/type appears to be wrong. > > For example, when I login linux user "meego", and say ps -Z, it shows me, > > user_u:user_r:insmod_t 773 tty1 00:00:00 bash > user_u:user_r:insmod_t 795 tty1 00:00:00 ps > > where I expect this has to be user_u:user_r:user_t, any pointers? > > > Regards, > Madhu Most likely your login program is not running with the correct context. ps -eZ | grep login - --> Should be local_login_t ps -eZ | grep sshd - --> Should be sshd_t ps -eZ | grep gdm - --> Should be xdm_t Usually login programs running as the wrong context need to be relabeled. touch /.autorelabel; reboot -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk4EiN4ACgkQrlYvE4MpobMTewCg6FBaXsxZaJ/veVWbiqfeS38m B2gAoM1iOR3Dd9fjoyDHM6NFDve09VB8 =Xrpt -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 12:04 Wrong context for user c.r.madhusudhanan 2011-06-24 12:53 ` Daniel J Walsh @ 2011-06-24 12:57 ` Stephen Smalley 2011-06-24 13:44 ` c.r.madhusudhanan 1 sibling, 1 reply; 19+ messages in thread From: Stephen Smalley @ 2011-06-24 12:57 UTC (permalink / raw) To: c.r.madhusudhanan@gmail.com; +Cc: SELinux On Fri, 2011-06-24 at 08:04 -0400, c.r.madhusudhanan@gmail.com wrote: > Hi All, > > > > > I have meego configured with SELinux refpolicy. I have enabled SELinux > user to linux user mapping, and though it shows correct selinux user > and selinux role, > the domain/type appears to be wrong. > > > For example, when I login linux user "meego", and say ps -Z, it shows > me, > > > user_u:user_r:insmod_t 773 tty1 00:00:00 bash > user_u:user_r:insmod_t 795 tty1 00:00:00 ps > > > where I expect this has to be user_u:user_r:user_t, any pointers? Please provide your entire ps -Z output, or at least show the entire ancestry of these processes (in particular the context of the login or ssh process that spawned them). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 12:57 ` Stephen Smalley @ 2011-06-24 13:44 ` c.r.madhusudhanan 2011-06-24 13:55 ` Daniel J Walsh 2011-06-24 14:11 ` Stephen Smalley 0 siblings, 2 replies; 19+ messages in thread From: c.r.madhusudhanan @ 2011-06-24 13:44 UTC (permalink / raw) To: Stephen Smalley, dwalsh; +Cc: SELinux [-- Attachment #1.1: Type: text/plain, Size: 1407 bytes --] Hello Daniel, Stephen, Thanks for the quick reply. Yes it looks login runs in the wrong context, system_u:system_r:kernel_t and most of the processes are. I am loading selinux policies from init, so I would expect all daemons should show their respective contexts. Attached is the "ps -aeZ" output. BTW, when I do "run_init /etc/init.d/sshd restart" the context changes from "system_u:system_r:kernel_t" to "system_u:system_r:initrc_t" but not to sshd_t. Regards, Madhu On Fri, Jun 24, 2011 at 12:57 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Fri, 2011-06-24 at 08:04 -0400, c.r.madhusudhanan@gmail.com wrote: > > Hi All, > > > > > > > > > > I have meego configured with SELinux refpolicy. I have enabled SELinux > > user to linux user mapping, and though it shows correct selinux user > > and selinux role, > > the domain/type appears to be wrong. > > > > > > For example, when I login linux user "meego", and say ps -Z, it shows > > me, > > > > > > user_u:user_r:insmod_t 773 tty1 00:00:00 bash > > user_u:user_r:insmod_t 795 tty1 00:00:00 ps > > > > > > where I expect this has to be user_u:user_r:user_t, any pointers? > > Please provide your entire ps -Z output, or at least show the entire > ancestry of these processes (in particular the context of the login or > ssh process that spawned them). > > -- > Stephen Smalley > National Security Agency > > [-- Attachment #1.2: Type: text/html, Size: 2073 bytes --] [-- Attachment #2: ps_output.txt --] [-- Type: text/plain, Size: 8979 bytes --] LABEL PID TTY TIME CMD system_u:system_r:kernel_t 1 ? 00:00:08 init system_u:system_r:kernel_t 2 ? 00:00:00 kthreadd system_u:system_r:kernel_t 3 ? 00:00:00 ksoftirqd/0 system_u:system_r:kernel_t 4 ? 00:00:00 migration/0 system_u:system_r:kernel_t 5 ? 00:00:00 watchdog/0 system_u:system_r:kernel_t 6 ? 00:00:00 migration/1 system_u:system_r:kernel_t 7 ? 00:00:00 ksoftirqd/1 system_u:system_r:kernel_t 8 ? 00:00:00 watchdog/1 system_u:system_r:kernel_t 9 ? 00:00:00 migration/2 system_u:system_r:kernel_t 10 ? 00:00:00 ksoftirqd/2 system_u:system_r:kernel_t 11 ? 00:00:00 watchdog/2 system_u:system_r:kernel_t 12 ? 00:00:00 migration/3 system_u:system_r:kernel_t 13 ? 00:00:00 ksoftirqd/3 system_u:system_r:kernel_t 14 ? 00:00:00 watchdog/3 system_u:system_r:kernel_t 15 ? 00:00:00 events/0 system_u:system_r:kernel_t 16 ? 00:00:00 events/1 system_u:system_r:kernel_t 17 ? 00:00:00 events/2 system_u:system_r:kernel_t 18 ? 00:00:01 events/3 system_u:system_r:kernel_t 19 ? 00:00:00 cpuset system_u:system_r:kernel_t 20 ? 00:00:00 khelper system_u:system_r:kernel_t 21 ? 00:00:00 async/mgr system_u:system_r:kernel_t 22 ? 00:00:00 pm system_u:system_r:kernel_t 23 ? 00:00:00 sync_supers system_u:system_r:kernel_t 24 ? 00:00:00 bdi-default system_u:system_r:kernel_t 25 ? 00:00:00 kblockd/0 system_u:system_r:kernel_t 26 ? 00:00:00 kblockd/1 system_u:system_r:kernel_t 27 ? 00:00:00 kblockd/2 system_u:system_r:kernel_t 28 ? 00:00:00 kblockd/3 system_u:system_r:kernel_t 29 ? 00:00:00 kacpid system_u:system_r:kernel_t 30 ? 00:00:00 kacpi_notify system_u:system_r:kernel_t 31 ? 00:00:00 kacpi_hotplug system_u:system_r:kernel_t 32 ? 00:00:00 ata_aux system_u:system_r:kernel_t 33 ? 00:00:00 ata_sff/0 system_u:system_r:kernel_t 34 ? 00:00:00 ata_sff/1 system_u:system_r:kernel_t 35 ? 00:00:00 ata_sff/2 system_u:system_r:kernel_t 36 ? 00:00:00 ata_sff/3 system_u:system_r:kernel_t 37 ? 00:00:00 khubd system_u:system_r:kernel_t 38 ? 00:00:00 kseriod system_u:system_r:kernel_t 39 ? 00:00:00 kmmcd system_u:system_r:kernel_t 40 ? 00:00:00 cfg80211 system_u:system_r:kernel_t 41 ? 00:00:00 kondemand/0 system_u:system_r:kernel_t 42 ? 00:00:00 kondemand/1 system_u:system_r:kernel_t 43 ? 00:00:00 kondemand/2 system_u:system_r:kernel_t 44 ? 00:00:00 kondemand/3 system_u:system_r:kernel_t 45 ? 00:00:00 kswapd0 system_u:system_r:kernel_t 46 ? 00:00:00 aio/0 system_u:system_r:kernel_t 47 ? 00:00:00 aio/1 system_u:system_r:kernel_t 48 ? 00:00:00 aio/2 system_u:system_r:kernel_t 49 ? 00:00:00 aio/3 system_u:system_r:kernel_t 50 ? 00:00:00 crypto/0 system_u:system_r:kernel_t 51 ? 00:00:00 crypto/1 system_u:system_r:kernel_t 52 ? 00:00:00 crypto/2 system_u:system_r:kernel_t 53 ? 00:00:00 crypto/3 system_u:system_r:kernel_t 61 ? 00:00:00 i915 system_u:system_r:kernel_t 62 ? 00:00:00 kslowd000 system_u:system_r:kernel_t 63 ? 00:00:00 kslowd001 system_u:system_r:kernel_t 64 ? 00:00:00 scsi_eh_0 system_u:system_r:kernel_t 65 ? 00:00:00 scsi_eh_1 system_u:system_r:kernel_t 68 ? 00:00:00 scsi_eh_2 system_u:system_r:kernel_t 69 ? 00:00:00 scsi_eh_3 system_u:system_r:kernel_t 70 ? 00:00:00 smflush system_u:system_r:kernel_t 71 ? 00:00:00 kpsmoused system_u:system_r:kernel_t 72 ? 00:00:00 usbhid_resumer system_u:system_r:kernel_t 73 ? 00:00:00 l2cap system_u:system_r:kernel_t 74 ? 00:00:00 krfcommd system_u:system_r:kernel_t 76 ? 00:00:00 btrfs-worker-0 system_u:system_r:kernel_t 77 ? 00:00:00 btrfs-genwork-0 system_u:system_r:kernel_t 78 ? 00:00:00 btrfs-submit-0 system_u:system_r:kernel_t 79 ? 00:00:00 btrfs-delalloc- system_u:system_r:kernel_t 80 ? 00:00:00 btrfs-fixup-0 system_u:system_r:kernel_t 81 ? 00:00:00 btrfs-endio-0 system_u:system_r:kernel_t 83 ? 00:00:00 btrfs-endio-met system_u:system_r:kernel_t 84 ? 00:00:00 btrfs-endio-wri system_u:system_r:kernel_t 85 ? 00:00:00 btrfs-cleaner system_u:system_r:kernel_t 86 ? 00:00:00 btrfs-transacti system_u:system_r:kernel_t 117 ? 00:00:00 udevd system_u:system_r:kernel_t 322 ? 00:00:00 hd-audio0 system_u:system_r:kernel_t 340 ? 00:00:00 kjournald system_u:system_r:kernel_t 359 ? 00:00:00 flush-btrfs-1 system_u:system_r:kernel_t 361 ? 00:00:00 dbus-daemon system_u:system_r:kernel_t 377 ? 00:00:00 connmand system_u:system_r:kernel_t 381 ? 00:00:00 wpa_supplicant system_u:system_r:kernel_t 382 ? 00:00:00 syslogd system_u:system_r:kernel_t 386 ? 00:00:00 auditd system_u:system_r:kernel_t 389 ? 00:00:00 kauditd system_u:system_r:kernel_t 393 ? 00:00:00 klogd system_u:system_r:kernel_t 409 ? 00:00:00 dsme system_u:system_r:kernel_t 412 ? 00:00:00 dsme-server system_u:system_r:kernel_t 420 ? 00:00:00 S50sensord system_u:system_r:kernel_t 422 ? 00:00:00 bash system_u:system_r:kernel_t 423 ? 00:00:00 sensord system_u:system_r:kernel_t 425 ? 00:00:00 timed system_u:system_r:kernel_t 433 ? 00:00:01 avahi-daemon system_u:system_r:kernel_t 434 ? 00:00:00 avahi-daemon system_u:system_r:kernel_t 436 ? 00:00:00 sshd system_u:system_r:kernel_t 442 ? 00:00:00 ofonod system_u:system_r:kernel_t 446 ? 00:00:00 bluetoothd system_u:system_r:kernel_t 456 ? 00:00:00 uxlaunch system_u:system_r:kernel_t 460 ? 00:00:00 uxlaunch user_u:user_r:insmod_t 480 tty2 00:00:15 Xorg user_u:user_r:insmod_t 483 ? 00:00:00 ssh-agent system_u:system_r:kernel_t 485 ? 00:00:00 console-kit-dae user_u:user_r:insmod_t 553 ? 00:00:00 dbus-daemon user_u:user_r:insmod_t 556 ? 00:00:00 gconfd-2 user_u:user_r:insmod_t 559 ? 00:00:00 startivi user_u:user_r:insmod_t 566 ? 00:00:00 msyncd user_u:user_r:insmod_t 568 ? 00:00:00 udiskie user_u:user_r:insmod_t 570 ? 00:00:00 obex-client user_u:user_r:insmod_t 571 ? 00:00:00 corewatcher-app user_u:user_r:insmod_t 572 ? 00:00:00 tracker-miner-f user_u:user_r:insmod_t 573 ? 00:00:00 gpk-update-icon user_u:user_r:insmod_t 575 ? 00:00:00 matchbox-window user_u:user_r:insmod_t 576 ? 00:00:00 ividesktop user_u:user_r:insmod_t 578 ? 00:00:12 ivihome user_u:user_r:insmod_t 586 ? 00:00:00 pulseaudio user_u:user_r:insmod_t 594 ? 00:00:00 festival system_u:system_r:kernel_t 597 ? 00:00:00 udisks-daemon system_u:system_r:kernel_t 598 ? 00:00:00 udisks-daemon system_u:system_r:kernel_t 633 ? 00:00:00 login root:staff_r:insmod_t 637 tty1 00:00:00 bash system_u:system_r:kernel_t 657 ? 00:00:00 udevd system_u:system_r:kernel_t 658 ? 00:00:00 udevd user_u:user_r:insmod_t 668 ? 00:00:00 tracker-store user_u:user_r:insmod_t 671 ? 00:00:00 tumblerd system_u:system_r:kernel_t 684 ? 00:00:00 upowerd system_u:system_r:kernel_t 700 ? 00:00:00 polkitd system_u:system_r:kernel_t 765 ? 00:00:00 btrfs-endio-met user_u:user_r:insmod_t 906 ? 00:00:00 xterm user_u:user_r:insmod_t 909 pts/0 00:00:00 bash system_u:system_r:kernel_t 937 ? 00:00:00 btrfs-endio-wri user_u:user_r:insmod_t 958 pts/0 00:00:53 firefox-bin system_u:system_r:kernel_t 974 ? 00:00:00 btrfs-endio-met user_u:user_r:insmod_t 994 ? 00:00:00 xterm user_u:user_r:insmod_t 996 pts/1 00:00:00 bash user_u:user_r:insmod_t 1012 pts/1 00:00:00 ps ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 13:44 ` c.r.madhusudhanan @ 2011-06-24 13:55 ` Daniel J Walsh 2011-06-24 14:11 ` Stephen Smalley 1 sibling, 0 replies; 19+ messages in thread From: Daniel J Walsh @ 2011-06-24 13:55 UTC (permalink / raw) To: c.r.madhusudhanan@gmail.com; +Cc: Stephen Smalley, SELinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/24/2011 09:44 AM, c.r.madhusudhanan@gmail.com wrote: > Hello Daniel, Stephen, > > Thanks for the quick reply. > > Yes it looks login runs in the wrong context, system_u:system_r:kernel_t > and most of the processes are. > > I am loading selinux policies from init, so I would expect all daemons > should show their respective contexts. > You have got to get init to run as init_t to make this all work correctly. If you load policy in the init process then you should rexec it should change its context to system_u:system_r:init_t:s0, or else the rest of the transitions will not happen correctly. > Attached is the "ps -aeZ" output. > > BTW, when I do "run_init /etc/init.d/sshd restart" the context changes from > "system_u:system_r:kernel_t" to "system_u:system_r:initrc_t" but not to > sshd_t. > This means sshd is not labeled sshd_exec_t. > Regards, > Madhu > > > > > On Fri, Jun 24, 2011 at 12:57 PM, Stephen Smalley <sds@tycho.nsa.gov > <mailto:sds@tycho.nsa.gov>> wrote: > > On Fri, 2011-06-24 at 08:04 -0400, c.r.madhusudhanan@gmail.com > <mailto:c.r.madhusudhanan@gmail.com> wrote: > > Hi All, > > > > > > > > > > I have meego configured with SELinux refpolicy. I have enabled SELinux > > user to linux user mapping, and though it shows correct selinux user > > and selinux role, > > the domain/type appears to be wrong. > > > > > > For example, when I login linux user "meego", and say ps -Z, it shows > > me, > > > > > > user_u:user_r:insmod_t 773 tty1 00:00:00 bash > > user_u:user_r:insmod_t 795 tty1 00:00:00 ps > > > > > > where I expect this has to be user_u:user_r:user_t, any pointers? > > Please provide your entire ps -Z output, or at least show the entire > ancestry of these processes (in particular the context of the login or > ssh process that spawned them). > > -- > Stephen Smalley > National Security Agency > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk4El20ACgkQrlYvE4MpobP8rgCfXCOo3UZ6dWgk2qe2iy3S7qpL WqwAoI982X9HrAXv3CClMcbGX2j6ly9a =jf8Z -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 13:44 ` c.r.madhusudhanan 2011-06-24 13:55 ` Daniel J Walsh @ 2011-06-24 14:11 ` Stephen Smalley 2011-06-24 14:44 ` c.r.madhusudhanan 1 sibling, 1 reply; 19+ messages in thread From: Stephen Smalley @ 2011-06-24 14:11 UTC (permalink / raw) To: c.r.madhusudhanan@gmail.com; +Cc: dwalsh, SELinux On Fri, 2011-06-24 at 09:44 -0400, c.r.madhusudhanan@gmail.com wrote: > Hello Daniel, Stephen, > > Thanks for the quick reply. > > Yes it looks login runs in the wrong context, > system_u:system_r:kernel_t and most of the processes are. > > I am loading selinux policies from init, so I would expect all daemons > should show their respective contexts. > > Attached is the "ps -aeZ" output. > > BTW, when I do "run_init /etc/init.d/sshd restart" the context changes > from > "system_u:system_r:kernel_t" to "system_u:system_r:initrc_t" but not > to sshd_t. Once policy is loaded, you have to make the first transition to init_t for the init process. That can be done in one of several ways: - load policy before execing /sbin/init from the real root (e.g. from initramfs), and then you'll transition naturally when you exec the /sbin/init binary if the file is labeled init_exec_t. I think we did this when using upstart in Fedora to avoid modifying upstart itself. - load policy from within /sbin/init and then re-exec yourself, using an environment variable or argument to only do on the first invocation. This is what the original patches to SysVinit did in Fedora (and I think it is what systemd does too). - load policy from init and invoke setcon() to dynamically switch to the init context before proceeding. Not preferred, but possible. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 14:11 ` Stephen Smalley @ 2011-06-24 14:44 ` c.r.madhusudhanan 2011-06-24 14:48 ` Stephen Smalley 2011-07-01 13:56 ` Stephen Smalley 0 siblings, 2 replies; 19+ messages in thread From: c.r.madhusudhanan @ 2011-06-24 14:44 UTC (permalink / raw) To: dwalsh, Stephen Smalley; +Cc: SELinux [-- Attachment #1.1: Type: text/plain, Size: 2123 bytes --] Thanks Daniel, Stephen. I am able to get init_t, local_login_t for init, and login respectively. The mistake was tat I missed relabeling the file system, so all the executable was in the type file_t. But it looks my problem still remains somehow, so that when I try login it still shows me wrong domain/type. When I login using 'login' (tty1), the context shows as user_u:user_r:chkpwd_t and when I check in the X (auto login to user 'meego' using 'uxlaunch') shows as user_u:user_r:consoletype_t. Attached is the "ps -aeZ" after relabeling the system. Regards, Madhu On Fri, Jun 24, 2011 at 2:11 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Fri, 2011-06-24 at 09:44 -0400, c.r.madhusudhanan@gmail.com wrote: > > Hello Daniel, Stephen, > > > > Thanks for the quick reply. > > > > Yes it looks login runs in the wrong context, > > system_u:system_r:kernel_t and most of the processes are. > > > > I am loading selinux policies from init, so I would expect all daemons > > should show their respective contexts. > > > > Attached is the "ps -aeZ" output. > > > > BTW, when I do "run_init /etc/init.d/sshd restart" the context changes > > from > > "system_u:system_r:kernel_t" to "system_u:system_r:initrc_t" but not > > to sshd_t. > > Once policy is loaded, you have to make the first transition to init_t > for the init process. That can be done in one of several ways: > > - load policy before execing /sbin/init from the real root (e.g. from > initramfs), and then you'll transition naturally when you exec > the /sbin/init binary if the file is labeled init_exec_t. I think we > did this when using upstart in Fedora to avoid modifying upstart itself. > > - load policy from within /sbin/init and then re-exec yourself, using an > environment variable or argument to only do on the first invocation. > This is what the original patches to SysVinit did in Fedora (and I think > it is what systemd does too). > > - load policy from init and invoke setcon() to dynamically switch to the > init context before proceeding. Not preferred, but possible. > > -- > Stephen Smalley > National Security Agency > > [-- Attachment #1.2: Type: text/html, Size: 2788 bytes --] [-- Attachment #2: ps_output2.txt --] [-- Type: text/plain, Size: 9394 bytes --] LABEL PID TTY TIME CMD system_u:system_r:init_t 1 ? 00:00:04 init system_u:system_r:kernel_t 2 ? 00:00:00 kthreadd system_u:system_r:kernel_t 3 ? 00:00:00 ksoftirqd/0 system_u:system_r:kernel_t 4 ? 00:00:00 migration/0 system_u:system_r:kernel_t 5 ? 00:00:00 watchdog/0 system_u:system_r:kernel_t 6 ? 00:00:00 migration/1 system_u:system_r:kernel_t 7 ? 00:00:00 ksoftirqd/1 system_u:system_r:kernel_t 8 ? 00:00:00 watchdog/1 system_u:system_r:kernel_t 9 ? 00:00:00 migration/2 system_u:system_r:kernel_t 10 ? 00:00:00 ksoftirqd/2 system_u:system_r:kernel_t 11 ? 00:00:00 watchdog/2 system_u:system_r:kernel_t 12 ? 00:00:00 migration/3 system_u:system_r:kernel_t 13 ? 00:00:00 ksoftirqd/3 system_u:system_r:kernel_t 14 ? 00:00:00 watchdog/3 system_u:system_r:kernel_t 15 ? 00:00:00 events/0 system_u:system_r:kernel_t 16 ? 00:00:00 events/1 system_u:system_r:kernel_t 17 ? 00:00:00 events/2 system_u:system_r:kernel_t 18 ? 00:00:00 events/3 system_u:system_r:kernel_t 19 ? 00:00:00 cpuset system_u:system_r:kernel_t 20 ? 00:00:00 khelper system_u:system_r:kernel_t 21 ? 00:00:00 async/mgr system_u:system_r:kernel_t 22 ? 00:00:00 pm system_u:system_r:kernel_t 23 ? 00:00:00 sync_supers system_u:system_r:kernel_t 24 ? 00:00:00 bdi-default system_u:system_r:kernel_t 25 ? 00:00:00 kblockd/0 system_u:system_r:kernel_t 26 ? 00:00:00 kblockd/1 system_u:system_r:kernel_t 27 ? 00:00:00 kblockd/2 system_u:system_r:kernel_t 28 ? 00:00:00 kblockd/3 system_u:system_r:kernel_t 29 ? 00:00:00 kacpid system_u:system_r:kernel_t 30 ? 00:00:00 kacpi_notify system_u:system_r:kernel_t 31 ? 00:00:00 kacpi_hotplug system_u:system_r:kernel_t 32 ? 00:00:00 ata_aux system_u:system_r:kernel_t 33 ? 00:00:00 ata_sff/0 system_u:system_r:kernel_t 34 ? 00:00:00 ata_sff/1 system_u:system_r:kernel_t 35 ? 00:00:00 ata_sff/2 system_u:system_r:kernel_t 36 ? 00:00:00 ata_sff/3 system_u:system_r:kernel_t 37 ? 00:00:00 khubd system_u:system_r:kernel_t 38 ? 00:00:00 kseriod system_u:system_r:kernel_t 39 ? 00:00:00 kmmcd system_u:system_r:kernel_t 40 ? 00:00:00 cfg80211 system_u:system_r:kernel_t 41 ? 00:00:00 kondemand/0 system_u:system_r:kernel_t 42 ? 00:00:00 kondemand/1 system_u:system_r:kernel_t 43 ? 00:00:00 kondemand/2 system_u:system_r:kernel_t 44 ? 00:00:00 kondemand/3 system_u:system_r:kernel_t 45 ? 00:00:00 kswapd0 system_u:system_r:kernel_t 46 ? 00:00:00 aio/0 system_u:system_r:kernel_t 47 ? 00:00:00 aio/1 system_u:system_r:kernel_t 48 ? 00:00:00 aio/2 system_u:system_r:kernel_t 49 ? 00:00:00 aio/3 system_u:system_r:kernel_t 50 ? 00:00:00 crypto/0 system_u:system_r:kernel_t 51 ? 00:00:00 crypto/1 system_u:system_r:kernel_t 52 ? 00:00:00 crypto/2 system_u:system_r:kernel_t 53 ? 00:00:00 crypto/3 system_u:system_r:kernel_t 61 ? 00:00:00 i915 system_u:system_r:kernel_t 62 ? 00:00:00 kslowd000 system_u:system_r:kernel_t 63 ? 00:00:00 kslowd001 system_u:system_r:kernel_t 64 ? 00:00:00 scsi_eh_0 system_u:system_r:kernel_t 65 ? 00:00:00 scsi_eh_1 system_u:system_r:kernel_t 68 ? 00:00:00 scsi_eh_2 system_u:system_r:kernel_t 69 ? 00:00:00 scsi_eh_3 system_u:system_r:kernel_t 70 ? 00:00:00 smflush system_u:system_r:kernel_t 71 ? 00:00:00 kpsmoused system_u:system_r:kernel_t 72 ? 00:00:00 usbhid_resumer system_u:system_r:kernel_t 73 ? 00:00:00 l2cap system_u:system_r:kernel_t 74 ? 00:00:00 krfcommd system_u:system_r:kernel_t 76 ? 00:00:00 btrfs-worker-0 system_u:system_r:kernel_t 77 ? 00:00:00 btrfs-genwork-0 system_u:system_r:kernel_t 78 ? 00:00:00 btrfs-submit-0 system_u:system_r:kernel_t 79 ? 00:00:00 btrfs-delalloc- system_u:system_r:kernel_t 80 ? 00:00:00 btrfs-fixup-0 system_u:system_r:kernel_t 82 ? 00:00:00 btrfs-endio-met system_u:system_r:kernel_t 83 ? 00:00:00 btrfs-endio-met system_u:system_r:kernel_t 85 ? 00:00:00 btrfs-cleaner system_u:system_r:kernel_t 86 ? 00:00:00 btrfs-transacti system_u:system_r:kernel_t 87 ? 00:00:00 btrfs-endio-met system_u:system_r:udev_t 118 ? 00:00:00 udevd system_u:system_r:kernel_t 304 ? 00:00:00 btrfs-endio-1 system_u:system_r:kernel_t 343 ? 00:00:00 hd-audio0 system_u:system_r:kernel_t 349 ? 00:00:00 kjournald system_u:system_r:kernel_t 364 ? 00:00:00 flush-btrfs-1 system_u:system_r:system_dbusd_t 373 ? 00:00:00 dbus-daemon system_u:system_r:initrc_t 389 ? 00:00:00 connmand system_u:system_r:syslogd_t 392 ? 00:00:00 syslogd system_u:system_r:NetworkManager_t 397 ? 00:00:00 wpa_supplicant system_u:system_r:klogd_t 398 ? 00:00:00 klogd system_u:system_r:auditd_t 404 ? 00:00:00 auditd system_u:system_r:kernel_t 407 ? 00:00:00 kauditd system_u:system_r:initrc_t 422 ? 00:00:00 dsme system_u:system_r:initrc_t 427 ? 00:00:00 dsme-server system_u:system_r:initrc_t 430 ? 00:00:00 S50sensord system_u:system_r:initrc_t 432 ? 00:00:00 bash system_u:system_r:initrc_t 434 ? 00:00:00 sensord system_u:system_r:initrc_t 435 ? 00:00:00 timed system_u:system_r:sshd_t 445 ? 00:00:00 sshd system_u:system_r:avahi_t 452 ? 00:00:00 avahi-daemon system_u:system_r:avahi_t 453 ? 00:00:00 avahi-daemon system_u:system_r:init_t 462 ? 00:00:00 uxlaunch system_u:system_r:initrc_t 464 ? 00:00:00 ofonod system_u:system_r:bluetooth_t 466 ? 00:00:00 bluetoothd system_u:system_r:init_t 471 ? 00:00:00 uxlaunch user_u:user_r:consoletype_t 491 tty2 00:00:04 Xorg user_u:user_r:consoletype_t 494 ? 00:00:00 ssh-agent system_u:system_r:consolekit_t 496 ? 00:00:00 console-kit-dae user_u:user_r:consoletype_t 564 ? 00:00:00 dbus-daemon user_u:user_r:consoletype_t 567 ? 00:00:00 gconfd-2 user_u:user_r:consoletype_t 570 ? 00:00:00 startivi user_u:user_r:consoletype_t 578 ? 00:00:00 msyncd user_u:user_r:consoletype_t 580 ? 00:00:00 udiskie user_u:user_r:consoletype_t 582 ? 00:00:00 obex-client user_u:user_r:consoletype_t 583 ? 00:00:00 corewatcher-app user_u:user_r:consoletype_t 584 ? 00:00:00 matchbox-window user_u:user_r:consoletype_t 585 ? 00:00:00 ividesktop user_u:user_r:consoletype_t 587 ? 00:00:00 tracker-miner-f user_u:user_r:consoletype_t 588 ? 00:00:00 gpk-update-icon user_u:user_r:consoletype_t 589 ? 00:00:09 ivihome user_u:user_r:consoletype_t 598 ? 00:00:00 pulseaudio user_u:user_r:consoletype_t 604 ? 00:00:00 festival system_u:system_r:devicekit_disk_t 613 ? 00:00:00 udisks-daemon system_u:system_r:devicekit_disk_t 616 ? 00:00:00 udisks-daemon user_u:user_r:consoletype_t 625 ? 00:00:00 xterm user_u:user_r:consoletype_t 629 pts/0 00:00:00 bash system_u:system_r:kernel_t 647 ? 00:00:00 btrfs-worker-1 system_u:system_r:kernel_t 648 ? 00:00:00 btrfs-worker-2 system_u:system_r:kernel_t 699 ? 00:00:00 btrfs-endio-wri system_u:system_r:kernel_t 700 ? 00:00:00 btrfs-endio-wri system_u:system_r:udev_t 704 ? 00:00:00 udevd system_u:system_r:udev_t 705 ? 00:00:00 udevd user_u:user_r:consoletype_t 716 ? 00:00:00 tracker-store user_u:user_r:consoletype_t 719 ? 00:00:00 tumblerd system_u:system_r:system_dbusd_t 861 ? 00:00:00 packagekitd system_u:system_r:devicekit_power_t 863 ? 00:00:00 upowerd system_u:system_r:system_dbusd_t 880 ? 00:00:00 polkitd system_u:system_r:local_login_t 926 ? 00:00:00 login user_u:user_r:chkpwd_t 930 tty1 00:00:00 bash system_u:system_r:kernel_t 959 ? 00:00:00 btrfs-endio-met user_u:user_r:consoletype_t 970 pts/0 00:00:18 firefox-bin user_u:user_r:consoletype_t 1009 ? 00:00:00 xterm user_u:user_r:consoletype_t 1011 pts/1 00:00:00 bash user_u:user_r:consoletype_t 1025 pts/1 00:00:00 bash system_u:system_r:kernel_t 1044 ? 00:00:00 btrfs-endio-wri user_u:user_r:consoletype_t 1046 pts/1 00:00:00 ps ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 14:44 ` c.r.madhusudhanan @ 2011-06-24 14:48 ` Stephen Smalley 2011-06-24 14:52 ` c.r.madhusudhanan 2011-07-01 13:56 ` Stephen Smalley 1 sibling, 1 reply; 19+ messages in thread From: Stephen Smalley @ 2011-06-24 14:48 UTC (permalink / raw) To: c.r.madhusudhanan@gmail.com; +Cc: dwalsh, SELinux On Fri, 2011-06-24 at 14:44 +0000, c.r.madhusudhanan@gmail.com wrote: > Thanks Daniel, Stephen. > > I am able to get init_t, local_login_t for init, and login > respectively. > The mistake was tat I missed relabeling the file system, so all the > executable was in the type file_t. > > But it looks my problem still remains somehow, so that when I try > login it still shows me wrong domain/type. > > When I login using 'login' (tty1), the context shows as > user_u:user_r:chkpwd_t and when I check in the X (auto login to user > 'meego' using 'uxlaunch') shows as user_u:user_r:consoletype_t. > > Attached is the "ps -aeZ" after relabeling the system. What does your default_contexts file contain? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 14:48 ` Stephen Smalley @ 2011-06-24 14:52 ` c.r.madhusudhanan 2011-06-24 15:09 ` Stephen Smalley 0 siblings, 1 reply; 19+ messages in thread From: c.r.madhusudhanan @ 2011-06-24 14:52 UTC (permalink / raw) To: Stephen Smalley; +Cc: dwalsh, SELinux [-- Attachment #1.1: Type: text/plain, Size: 915 bytes --] attached for your reference. Regards, Madhu On Fri, Jun 24, 2011 at 2:48 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Fri, 2011-06-24 at 14:44 +0000, c.r.madhusudhanan@gmail.com wrote: > > Thanks Daniel, Stephen. > > > > I am able to get init_t, local_login_t for init, and login > > respectively. > > The mistake was tat I missed relabeling the file system, so all the > > executable was in the type file_t. > > > > But it looks my problem still remains somehow, so that when I try > > login it still shows me wrong domain/type. > > > > When I login using 'login' (tty1), the context shows as > > user_u:user_r:chkpwd_t and when I check in the X (auto login to user > > 'meego' using 'uxlaunch') shows as user_u:user_r:consoletype_t. > > > > Attached is the "ps -aeZ" after relabeling the system. > > What does your default_contexts file contain? > > -- > Stephen Smalley > National Security Agency > > [-- Attachment #1.2: Type: text/html, Size: 1427 bytes --] [-- Attachment #2: seusers --] [-- Type: application/octet-stream, Size: 47 bytes --] system_u:system_u root:root __default__:user_u [-- Attachment #3: default_contexts --] [-- Type: application/octet-stream, Size: 875 bytes --] system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t system_r:sulogin_t sysadm_r:sysadm_t system_r:xdm_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t staff_r:staff_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t sysadm_r:sysadm_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t user_r:user_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 14:52 ` c.r.madhusudhanan @ 2011-06-24 15:09 ` Stephen Smalley 2011-06-24 15:50 ` c.r.madhusudhanan 0 siblings, 1 reply; 19+ messages in thread From: Stephen Smalley @ 2011-06-24 15:09 UTC (permalink / raw) To: c.r.madhusudhanan@gmail.com; +Cc: dwalsh, SELinux On Fri, 2011-06-24 at 14:52 +0000, c.r.madhusudhanan@gmail.com wrote: > attached for your reference. What do the libselinux/utils say, e.g.: cd libselinux/utils ./getconlist user_u system_u:system_r:local_login_t ./getseuser root system_u:system_r:local_login_t -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 15:09 ` Stephen Smalley @ 2011-06-24 15:50 ` c.r.madhusudhanan 2011-06-24 21:26 ` Sam Gandhi 2011-07-01 13:23 ` Stephen Smalley 0 siblings, 2 replies; 19+ messages in thread From: c.r.madhusudhanan @ 2011-06-24 15:50 UTC (permalink / raw) To: Stephen Smalley; +Cc: dwalsh, SELinux [-- Attachment #1: Type: text/plain, Size: 874 bytes --] [root@localhost utils]# ./getconlist user_u user_u:user_r:consoletype_t [root@localhost utils]# ./getconlist root root:sysadm_r:sysadm_t [root@localhost utils]# ./getseuser meego seuser: user_u, level (null) Context 0 user_u:user_r:consoletype_t [root@localhost utils]# ./getseuser root seuser: root, level (null) Context 0 root:sysadm_r:sysadm_t (I dont know but the getseuser dint work until I changed the code if (argc != 2). ) Regards Madhu. On Fri, Jun 24, 2011 at 3:09 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Fri, 2011-06-24 at 14:52 +0000, c.r.madhusudhanan@gmail.com wrote: > > attached for your reference. > > What do the libselinux/utils say, e.g.: > cd libselinux/utils > ./getconlist user_u system_u:system_r:local_login_t > ./getseuser root system_u:system_r:local_login_t > > -- > Stephen Smalley > National Security Agency > > [-- Attachment #2: Type: text/html, Size: 1371 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 15:50 ` c.r.madhusudhanan @ 2011-06-24 21:26 ` Sam Gandhi 2011-06-28 15:34 ` c.r.madhusudhanan 2011-07-01 13:23 ` Stephen Smalley 1 sibling, 1 reply; 19+ messages in thread From: Sam Gandhi @ 2011-06-24 21:26 UTC (permalink / raw) To: c.r.madhusudhanan@gmail.com; +Cc: Stephen Smalley, dwalsh, SELinux On Fri, Jun 24, 2011 at 8:50 AM, c.r.madhusudhanan@gmail.com <c.r.madhusudhanan@gmail.com> wrote: > [root@localhost utils]# ./getconlist user_u > user_u:user_r:consoletype_t > [root@localhost utils]# ./getconlist root > root:sysadm_r:sysadm_t > > [root@localhost utils]# ./getseuser meego > seuser: user_u, level (null) > Context 0 user_u:user_r:consoletype_t > [root@localhost utils]# ./getseuser root > seuser: root, level (null) > Context 0 root:sysadm_r:sysadm_t > (I dont know but the getseuser dint work until I changed the code > if (argc != 2). ) > My guess it is picking up the context from /etc/selinux/<context>/contexts/failsafe_context file. Does your failsafe_context file have string system_r:unconfined_t in it. For experimental purpose if you change it to system_r:initrc_t you will notice that your login session has context of root:system_r:initrc_t Now I don't know SELinux well enough to know if changing the failsafe_context file is correct thing to do. You could run getseuser through strace and see all the configuration files it examines. One thing you will notice is SELinux user libraries read & write various files in /selinux/ but I haven't found description of how the interface for /selinux/XXX is supposed to work > On Fri, Jun 24, 2011 at 3:09 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >> >> On Fri, 2011-06-24 at 14:52 +0000, c.r.madhusudhanan@gmail.com wrote: >> > attached for your reference. >> >> What do the libselinux/utils say, e.g.: >> cd libselinux/utils >> ./getconlist user_u system_u:system_r:local_login_t >> ./getseuser root system_u:system_r:local_login_t >> >> -- >> Stephen Smalley >> National Security Agency >> > > -Sam -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 21:26 ` Sam Gandhi @ 2011-06-28 15:34 ` c.r.madhusudhanan 0 siblings, 0 replies; 19+ messages in thread From: c.r.madhusudhanan @ 2011-06-28 15:34 UTC (permalink / raw) To: Sam Gandhi; +Cc: Stephen Smalley, dwalsh, SELinux [-- Attachment #1: Type: text/plain, Size: 2106 bytes --] Hi Sam, Sorry I couldnt reply you earlier, and the issue still remains, I checked failsafe_context, and it was 'sysadm_r:syadm_t' and when I changed to 'system_r:initrc_t' as you said, it dint have any effect. Regards, Madhu On Fri, Jun 24, 2011 at 5:26 PM, Sam Gandhi <samgandhi9@gmail.com> wrote: > On Fri, Jun 24, 2011 at 8:50 AM, c.r.madhusudhanan@gmail.com > <c.r.madhusudhanan@gmail.com> wrote: > > [root@localhost utils]# ./getconlist user_u > > user_u:user_r:consoletype_t > > [root@localhost utils]# ./getconlist root > > root:sysadm_r:sysadm_t > > > > [root@localhost utils]# ./getseuser meego > > seuser: user_u, level (null) > > Context 0 user_u:user_r:consoletype_t > > [root@localhost utils]# ./getseuser root > > seuser: root, level (null) > > Context 0 root:sysadm_r:sysadm_t > > (I dont know but the getseuser dint work until I changed the code > > if (argc != 2). ) > > > > My guess it is picking up the context from > /etc/selinux/<context>/contexts/failsafe_context file. > Does your failsafe_context file have string system_r:unconfined_t in > it. For experimental purpose if you change it to system_r:initrc_t you > will notice that your login session has context of > root:system_r:initrc_t > > Now I don't know SELinux well enough to know if changing the > failsafe_context file is correct thing to do. You could run getseuser > through strace and see all the configuration files it examines. > > One thing you will notice is SELinux user libraries read & write > various files in /selinux/ but I haven't found description of how the > interface for /selinux/XXX is supposed to work > > > > On Fri, Jun 24, 2011 at 3:09 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > >> > >> On Fri, 2011-06-24 at 14:52 +0000, c.r.madhusudhanan@gmail.com wrote: > >> > attached for your reference. > >> > >> What do the libselinux/utils say, e.g.: > >> cd libselinux/utils > >> ./getconlist user_u system_u:system_r:local_login_t > >> ./getseuser root system_u:system_r:local_login_t > >> > >> -- > >> Stephen Smalley > >> National Security Agency > >> > > > > > > -Sam > [-- Attachment #2: Type: text/html, Size: 3148 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 15:50 ` c.r.madhusudhanan 2011-06-24 21:26 ` Sam Gandhi @ 2011-07-01 13:23 ` Stephen Smalley 2011-07-01 13:50 ` Stephen Smalley 2011-07-05 14:43 ` c.r.madhusudhanan 1 sibling, 2 replies; 19+ messages in thread From: Stephen Smalley @ 2011-07-01 13:23 UTC (permalink / raw) To: c.r.madhusudhanan@gmail.com; +Cc: dwalsh, SELinux On Fri, 2011-06-24 at 15:50 +0000, c.r.madhusudhanan@gmail.com wrote: > [root@localhost utils]# ./getconlist user_u > user_u:user_r:consoletype_t > [root@localhost utils]# ./getconlist root > root:sysadm_r:sysadm_t > > [root@localhost utils]# ./getseuser meego > seuser: user_u, level (null) > Context 0 user_u:user_r:consoletype_t > [root@localhost utils]# ./getseuser root > seuser: root, level (null) > Context 0 root:sysadm_r:sysadm_t > (I dont know but the getseuser dint work until I changed the code > if (argc != 2). ) You aren't invoking them correctly - you need to pass the security context of the login process as the second argument, as I showed. For example, on Fedora, we have: $ ./getconlist user_u system_u:system_r:local_login_t:s0 user_u:user_r:user_t:s0 $ ./getseuser root system_u:system_r:local_login_t:s0 $ ./getseuser root system_u:system_r:local_login_t:s0 seuser: unconfined_u, level s0-s0:c0.c1023 Context 0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Omit the :s0 if you don't have MLS enabled in your policy. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-07-01 13:23 ` Stephen Smalley @ 2011-07-01 13:50 ` Stephen Smalley 2011-07-05 14:43 ` c.r.madhusudhanan 1 sibling, 0 replies; 19+ messages in thread From: Stephen Smalley @ 2011-07-01 13:50 UTC (permalink / raw) To: c.r.madhusudhanan@gmail.com; +Cc: dwalsh, SELinux On Fri, 2011-07-01 at 09:23 -0400, Stephen Smalley wrote: > On Fri, 2011-06-24 at 15:50 +0000, c.r.madhusudhanan@gmail.com wrote: > > [root@localhost utils]# ./getconlist user_u > > user_u:user_r:consoletype_t > > [root@localhost utils]# ./getconlist root > > root:sysadm_r:sysadm_t > > > > [root@localhost utils]# ./getseuser meego > > seuser: user_u, level (null) > > Context 0 user_u:user_r:consoletype_t > > [root@localhost utils]# ./getseuser root > > seuser: root, level (null) > > Context 0 root:sysadm_r:sysadm_t > > (I dont know but the getseuser dint work until I changed the code > > if (argc != 2). ) > > You aren't invoking them correctly - you need to pass the security > context of the login process as the second argument, as I showed. > > For example, on Fedora, we have: > $ ./getconlist user_u system_u:system_r:local_login_t:s0 > user_u:user_r:user_t:s0 > $ ./getseuser root system_u:system_r:local_login_t:s0 > $ ./getseuser root system_u:system_r:local_login_t:s0 > seuser: unconfined_u, level s0-s0:c0.c1023 > Context 0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > Omit the :s0 if you don't have MLS enabled in your policy. BTW, debugging this kind of problem often requires a copy of your entire /etc/selinux directory. pstree -Z output might also be interesting. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-07-01 13:23 ` Stephen Smalley 2011-07-01 13:50 ` Stephen Smalley @ 2011-07-05 14:43 ` c.r.madhusudhanan 1 sibling, 0 replies; 19+ messages in thread From: c.r.madhusudhanan @ 2011-07-05 14:43 UTC (permalink / raw) To: Stephen Smalley; +Cc: dwalsh, SELinux [-- Attachment #1.1: Type: text/plain, Size: 1750 bytes --] Hi Stephen, Many thanks for your help. I am now able to get the correct user type (user_t). The problem I had was in the kernel, which was wrongly configured to use policydb version 19. When I changed to kernel config, I am able to login in the correct context. Attached is the getconlist, getseuser for your reference, before and after the kernel changes. PS: this works for login (local_login_t), and for uxlaunch, as you said, I am planning to have a policy transition. Regards, Madhu On Fri, Jul 1, 2011 at 9:23 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Fri, 2011-06-24 at 15:50 +0000, c.r.madhusudhanan@gmail.com wrote: > > [root@localhost utils]# ./getconlist user_u > > user_u:user_r:consoletype_t > > [root@localhost utils]# ./getconlist root > > root:sysadm_r:sysadm_t > > > > [root@localhost utils]# ./getseuser meego > > seuser: user_u, level (null) > > Context 0 user_u:user_r:consoletype_t > > [root@localhost utils]# ./getseuser root > > seuser: root, level (null) > > Context 0 root:sysadm_r:sysadm_t > > (I dont know but the getseuser dint work until I changed the code > > if (argc != 2). ) > > You aren't invoking them correctly - you need to pass the security > context of the login process as the second argument, as I showed. > > For example, on Fedora, we have: > $ ./getconlist user_u system_u:system_r:local_login_t:s0 > user_u:user_r:user_t:s0 > $ ./getseuser root system_u:system_r:local_login_t:s0 > $ ./getseuser root system_u:system_r:local_login_t:s0 > seuser: unconfined_u, level s0-s0:c0.c1023 > Context 0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > Omit the :s0 if you don't have MLS enabled in your policy. > > -- > Stephen Smalley > National Security Agency > > [-- Attachment #1.2: Type: text/html, Size: 2424 bytes --] [-- Attachment #2: libsemanage_utils_output.txt --] [-- Type: text/plain, Size: 1463 bytes --] Wrong kernel option was: ----------------------- CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19 Before ------ [root@localhost utils]# ./getconlist root system_u:system_r:local_login_t root:staff_r:chkpwd_t root:staff_r:updpwd_t root:sysadm_r:chkpwd_t root:sysadm_r:updpwd_t [root@localhost utils]# ./getconlist user_u system_u:system_r:local_login_t user_u:user_r:chkpwd_t user_u:user_r:updpwd_t [root@localhost utils]# ./getseuser root system_u:system_r:local_login_t seuser: root, level (null) Context 0 root:staff_r:chkpwd_t Context 1 root:staff_r:updpwd_t Context 2 root:sysadm_r:chkpwd_t Context 3 root:sysadm_r:updpwd_t [root@localhost utils]# ./getseuser user_u system_u:system_r:local_login_t seuser: user_u, level (null) Context 0 user_u:user_r:chkpwd_t Context 1 user_u:user_r:updpwd_t [root@localhost utils]# After ----- [root@localhost utils]# ./getconlist root system_u:system_r:local_login_t root:sysadm_r:sysadm_t root:staff_r:staff_t [root@localhost utils]# ./getconlist user_u system_u:system_r:local_login_t user_u:user_r:user_t [root@localhost utils]# ./getseuser root system_u:system_r:local_login_t seuser: root, level (null) Context 0 root:sysadm_r:sysadm_t Context 1 root:staff_r:staff_t [root@localhost utils]# ./getseuser user_u system_u:system_r:local_login_t seuser: user_u, level (null) Context 0 user_u:user_r:user_t ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-06-24 14:44 ` c.r.madhusudhanan 2011-06-24 14:48 ` Stephen Smalley @ 2011-07-01 13:56 ` Stephen Smalley 2011-07-01 16:17 ` Stephen Smalley 2011-07-06 14:14 ` c.r.madhusudhanan 1 sibling, 2 replies; 19+ messages in thread From: Stephen Smalley @ 2011-07-01 13:56 UTC (permalink / raw) To: c.r.madhusudhanan@gmail.com; +Cc: dwalsh, SELinux On Fri, 2011-06-24 at 14:44 +0000, c.r.madhusudhanan@gmail.com wrote: > Thanks Daniel, Stephen. > > I am able to get init_t, local_login_t for init, and login > respectively. > The mistake was tat I missed relabeling the file system, so all the > executable was in the type file_t. > > But it looks my problem still remains somehow, so that when I try > login it still shows me wrong domain/type. > > When I login using 'login' (tty1), the context shows as > user_u:user_r:chkpwd_t and when I check in the X (auto login to user > 'meego' using 'uxlaunch') shows as user_u:user_r:consoletype_t. > > Attached is the "ps -aeZ" after relabeling the system. Going back to this ps output, I think you'll need some policy changes to support MeeGo's uxlaunch approach to starting a user desktop. You need uxlaunch to transition into a domain suitable for user login like xdm_t (used for gdm/xdm/kdm) rather than running in init_t or we won't get the expected transitions for user domains. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-07-01 13:56 ` Stephen Smalley @ 2011-07-01 16:17 ` Stephen Smalley 2011-07-06 14:14 ` c.r.madhusudhanan 1 sibling, 0 replies; 19+ messages in thread From: Stephen Smalley @ 2011-07-01 16:17 UTC (permalink / raw) To: c.r.madhusudhanan@gmail.com; +Cc: dwalsh, SELinux On Fri, 2011-07-01 at 09:56 -0400, Stephen Smalley wrote: > On Fri, 2011-06-24 at 14:44 +0000, c.r.madhusudhanan@gmail.com wrote: > > Thanks Daniel, Stephen. > > > > I am able to get init_t, local_login_t for init, and login > > respectively. > > The mistake was tat I missed relabeling the file system, so all the > > executable was in the type file_t. > > > > But it looks my problem still remains somehow, so that when I try > > login it still shows me wrong domain/type. > > > > When I login using 'login' (tty1), the context shows as > > user_u:user_r:chkpwd_t and when I check in the X (auto login to user > > 'meego' using 'uxlaunch') shows as user_u:user_r:consoletype_t. > > > > Attached is the "ps -aeZ" after relabeling the system. > > Going back to this ps output, I think you'll need some policy changes to > support MeeGo's uxlaunch approach to starting a user desktop. You need > uxlaunch to transition into a domain suitable for user login like xdm_t > (used for gdm/xdm/kdm) rather than running in init_t or we won't get the > expected transitions for user domains. And given that, you might want to take this conversation over to the refpolicy list as it becomes a policy configuration issue for MeeGo. http://oss.tresys.com/mailman/listinfo/refpolicy -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Wrong context for user 2011-07-01 13:56 ` Stephen Smalley 2011-07-01 16:17 ` Stephen Smalley @ 2011-07-06 14:14 ` c.r.madhusudhanan 1 sibling, 0 replies; 19+ messages in thread From: c.r.madhusudhanan @ 2011-07-06 14:14 UTC (permalink / raw) To: Stephen Smalley; +Cc: dwalsh, SELinux [-- Attachment #1: Type: text/plain, Size: 1267 bytes --] On Fri, Jul 1, 2011 at 9:56 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Fri, 2011-06-24 at 14:44 +0000, c.r.madhusudhanan@gmail.com wrote: > > Thanks Daniel, Stephen. > > > > I am able to get init_t, local_login_t for init, and login > > respectively. > > The mistake was tat I missed relabeling the file system, so all the > > executable was in the type file_t. > > > > But it looks my problem still remains somehow, so that when I try > > login it still shows me wrong domain/type. > > > > When I login using 'login' (tty1), the context shows as > > user_u:user_r:chkpwd_t and when I check in the X (auto login to user > > 'meego' using 'uxlaunch') shows as user_u:user_r:consoletype_t. > > > > Attached is the "ps -aeZ" after relabeling the system. > > Going back to this ps output, I think you'll need some policy changes to > support MeeGo's uxlaunch approach to starting a user desktop. You need > uxlaunch to transition into a domain suitable for user login like xdm_t > (used for gdm/xdm/kdm) rather than running in init_t or we won't get the > expected transitions for user domains. > > Thanks for that, "setfilecon system_u:object_r:xdm_exec_t /usr/sbin/uxlaunch" solved context issue in X. > -- > Stephen Smalley > National Security Agency > > [-- Attachment #2: Type: text/html, Size: 2071 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2011-07-06 14:14 UTC | newest] Thread overview: 19+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-06-24 12:04 Wrong context for user c.r.madhusudhanan 2011-06-24 12:53 ` Daniel J Walsh 2011-06-24 12:57 ` Stephen Smalley 2011-06-24 13:44 ` c.r.madhusudhanan 2011-06-24 13:55 ` Daniel J Walsh 2011-06-24 14:11 ` Stephen Smalley 2011-06-24 14:44 ` c.r.madhusudhanan 2011-06-24 14:48 ` Stephen Smalley 2011-06-24 14:52 ` c.r.madhusudhanan 2011-06-24 15:09 ` Stephen Smalley 2011-06-24 15:50 ` c.r.madhusudhanan 2011-06-24 21:26 ` Sam Gandhi 2011-06-28 15:34 ` c.r.madhusudhanan 2011-07-01 13:23 ` Stephen Smalley 2011-07-01 13:50 ` Stephen Smalley 2011-07-05 14:43 ` c.r.madhusudhanan 2011-07-01 13:56 ` Stephen Smalley 2011-07-01 16:17 ` Stephen Smalley 2011-07-06 14:14 ` c.r.madhusudhanan
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.