* Bug in the semanage user management code or genhomedircon?
@ 2006-03-16 20:45 Thomas Bleher
2006-03-16 22:02 ` Ivan Gyurdiev
0 siblings, 1 reply; 4+ messages in thread
From: Thomas Bleher @ 2006-03-16 20:45 UTC (permalink / raw)
To: SELinux ML
I'm trying to set up an Ubuntu SELinux system and have a problem I don't
really understand. The system is up-to-date (just compiled all the
libraries from the new release, the policy is two days old).
I think the following command sequence illustrates my problem:
# ls -dZ /root
drwxr-xr-x root root system_u:object_r:default_t:s0 /root
# semanage login -l
Login Name SELinux User MLS/MCS Range
# semanage user -l
MLS/ MLS/
SELinux User MCS Level MCS Range SELinux Roles
root s0 s0-s0:c0.c255 system_r sysadm_r staff_r
staff_u s0 s0-s0:c0.c255 sysadm_r staff_r
sysadm_u s0 s0-s0:c0.c255 sysadm_r
system_u s0 s0-s0:c0.c255 system_r
user_u s0 s0 user_r
# semanage login -a -s sysadm_u root
root@warschau:~/debian# semanage login -l
Login Name SELinux User MLS/MCS Range
root sysadm_u s0
# restorecon -v /root/
restorecon reset /root context system_u:object_r:default_t:s0->sysadm_u:object_r:user_home_dir_t:s0
Notice the last line. I cannot get /root to be of type
sysadm_home_dir_t (It doesn't change if I do "semanage login -a -s
root root" instead).
What am I doing wrong?
Thomas
PS: The semanage manpage really needs some examples. Now if I understood
the program I could write some :-(
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Bug in the semanage user management code or genhomedircon?
2006-03-16 20:45 Bug in the semanage user management code or genhomedircon? Thomas Bleher
@ 2006-03-16 22:02 ` Ivan Gyurdiev
2006-03-17 7:11 ` Thomas Bleher
0 siblings, 1 reply; 4+ messages in thread
From: Ivan Gyurdiev @ 2006-03-16 22:02 UTC (permalink / raw)
To: SELinux ML; +Cc: Daniel J Walsh
[-- Attachment #1: Type: text/plain, Size: 543 bytes --]
> What am I doing wrong?
>
Can you let me know what you see with the following policycoreutils
patch, when you try the same thing (do semanage user -l, should show the
labeling prefix for each user). Dan, you can merge if you want to - I
don't know if the alignment is ok - are you trying to fit within
80-columns or something like that?
P.S. I see those get_all() functions being used outside seobject.py (in
chcat), which doesn't seem like a good idea - breaks encapsulation, and
adding things like I just did will cause damage.
[-- Attachment #2: semanage.prefix.diff --]
[-- Type: text/x-patch, Size: 1496 bytes --]
diff -Naurp --exclude-from excludes old/policycoreutils/semanage/seobject.py new/policycoreutils/semanage/seobject.py
--- old/policycoreutils/semanage/seobject.py 2006-03-08 12:16:06.000000000 -0500
+++ new/policycoreutils/semanage/seobject.py 2006-03-16 16:56:37.000000000 -0500
@@ -549,7 +549,7 @@ class seluserRecords(semanageRecords):
raise ValueError("Could not list roles for user %s" % name)
roles = string.join(rlist, ' ');
- ddict[semanage_user_get_name(u)] = (semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles)
+ ddict[semanage_user_get_name(u)] = (semanage_user_get_prefix(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles)
return ddict
@@ -559,10 +559,10 @@ class seluserRecords(semanageRecords):
keys.sort()
if is_mls_enabled == 1:
if heading:
- print "\n%-15s %-10s %-30s" % ("", "MLS/", "MLS/")
- print "%-15s %-10s %-30s %s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
+ print "\n%-15s %-10s %-10s %-30s" % ("", "Labeling", "MLS/", "MLS/")
+ print "%-15s %-10s %-10s %-30s %s\n" % ("SELinux User", "Prefix", "MCS Level", "MCS Range", "SELinux Roles")
for k in keys:
- print "%-15s %-10s %-30s %s" % (k, translate(ddict[k][0]), translate(ddict[k][1]), ddict[k][2])
+ print "%-15s %-10s %-10s %-30s %s" % (k, ddict[k][0], translate(ddict[k][1]), translate(ddict[k][2]), ddict[k][3])
else:
if heading:
print "%-15s %s\n" % ("SELinux User", "SELinux Roles")
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Bug in the semanage user management code or genhomedircon?
2006-03-16 22:02 ` Ivan Gyurdiev
@ 2006-03-17 7:11 ` Thomas Bleher
2006-03-17 12:46 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Thomas Bleher @ 2006-03-17 7:11 UTC (permalink / raw)
To: SELinux ML
* Ivan Gyurdiev <ivg2@cornell.edu> [2006-03-16 23:53]:
>
> >What am I doing wrong?
> >
> Can you let me know what you see with the following policycoreutils
> patch, when you try the same thing (do semanage user -l, should show the
> labeling prefix for each user).
OK, this seems to show the problem:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 s0-s0:c0.c255 system_r sysadm_r staff_r
staff_u user s0 s0-s0:c0.c255 sysadm_r staff_r
sysadm_u user s0 s0-s0:c0.c255 sysadm_r
system_u user s0 s0-s0:c0.c255 system_r
user_u user s0 s0 user_r
Where is the labeling prefix set? Or better, where can I change it?
Thanks,
Thomas
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Bug in the semanage user management code or genhomedircon?
2006-03-17 7:11 ` Thomas Bleher
@ 2006-03-17 12:46 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2006-03-17 12:46 UTC (permalink / raw)
To: Thomas Bleher; +Cc: SELinux ML
On Fri, 2006-03-17 at 08:11 +0100, Thomas Bleher wrote:
> * Ivan Gyurdiev <ivg2@cornell.edu> [2006-03-16 23:53]:
> >
> > >What am I doing wrong?
> > >
> > Can you let me know what you see with the following policycoreutils
> > patch, when you try the same thing (do semanage user -l, should show the
> > labeling prefix for each user).
>
> OK, this seems to show the problem:
> # semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range SELinux Roles
>
> root user s0 s0-s0:c0.c255 system_r sysadm_r staff_r
> staff_u user s0 s0-s0:c0.c255 sysadm_r staff_r
> sysadm_u user s0 s0-s0:c0.c255 sysadm_r
> system_u user s0 s0-s0:c0.c255 system_r
> user_u user s0 s0 user_r
>
> Where is the labeling prefix set? Or better, where can I change it?
It is supplied by an auxiliary file, users_extra, that is now an
optional part of the policy module package format, to provide an
explicit mapping from SELinux users to labeling prefixes. The original
genhomedircon was (improperly) making assumptions about the significance
of the ordering of roles in the policy/users file (as that ordering had
no inherent meaning to SELinux and was lost upon policy compilation) and
naturally also required access to that source file, whereas it now uses
libsemanage to access an explicit mapping file supplied with the policy.
# cat /etc/selinux/mls/modules/active/users_extra
user user_u prefix user;
user staff_u prefix staff;
user sysadm_u prefix sysadm;
user root prefix sysadm;
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-03-17 12:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-16 20:45 Bug in the semanage user management code or genhomedircon? Thomas Bleher
2006-03-16 22:02 ` Ivan Gyurdiev
2006-03-17 7:11 ` Thomas Bleher
2006-03-17 12:46 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.