From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id l4B9ftn3015657 for ; Fri, 11 May 2007 05:41:55 -0400 Received: from nz-out-0506.google.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id l4B9fsGV003640 for ; Fri, 11 May 2007 09:41:54 GMT Received: by nz-out-0506.google.com with SMTP id n1so942725nzf for ; Fri, 11 May 2007 02:41:54 -0700 (PDT) Message-ID: <46443A37.7070500@gmail.com> Date: Fri, 11 May 2007 17:41:11 +0800 From: Ken YANG MIME-Version: 1.0 To: Stephen Smalley CC: JanuGerman , Karl MacMillan , SELinux List Subject: Re: cannot login using strict policy References: <706356.14667.qm@web86906.mail.ukl.yahoo.com> <1177515880.24282.223.camel@moss-spartans.epoch.ncsc.mil> <4642E6D4.2030006@gmail.com> <1178800137.3504.71.camel@moss-spartans.epoch.ncsc.mil> In-Reply-To: <1178800137.3504.71.camel@moss-spartans.epoch.ncsc.mil> Content-Type: multipart/mixed; boundary="------------080408030404070604070904" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This is a multi-part message in MIME format. --------------080408030404070604070904 Content-Type: text/plain; charset=gb18030; format=flowed Content-Transfer-Encoding: 7bit Stephen Smalley wrote: > On Thu, 2007-05-10 at 17:33 +0800, Ken YANG wrote: >> Stephen Smalley wrote: >>> On Wed, 2007-04-25 at 15:31 +0000, JanuGerman wrote: >>>> Hi Karl, >>>> >>>> Thanks for the response. I have to reboot with 'selinux=0' in order to >>>> diagnose the type of .bash_profile. It is >>>> 'root:object_r:user_home_t:s0'. This seems to me a problem, like every >>>> time, i will have to reboot with selinux=0, in order to get the >>>> attributes of the file. Plus one question regarding the unconfined_t. >>>> Is unconfined_t is changed to confined_t in strict policy mode? >>> You should just be able to boot with enforcing=0, not selinux=0. Or >>> even switch to permissive via setenforce 0 if you can login at least on >>> the console and newrole -r sysadm_r. >>> >>> Under strict policy, users run in confined domains like user_t and >>> staff_t, and the user must newrole -r sysadm_r to enter the admin role. >>> >>> The /root files should be labeled with sysadm_home_t, not user_home_t. >>> Look at /etc/selinux/strict/contexts/files/file_contexts.homedirs for >>> the /root entries. >> i also had the same error when switching from targeted to strict. >> >> i notice in avc that there are some deny errors: >> >> avc: denied { search } comm="gconfd-2" name="root" >> scontext=root:staff_r:staff_gconfd_t:s0-s0:c0.c1023 >> tcontext=root:object_r:sysadm_home_dir_t:s0 >> >> i guess that this error is relative to the "permission denied" of >> ".bash_profile" >> >> i find that "staff_gconfd_t" is generated by domain transition >> from "staff_t" to "staff_gconfd_t". (defined in >> gnome_per_role_template()) >> >> i wonder why "root" user role is staff_r when login through gdm, >> and is sysadm_r when login in 3 level(through mingetty) >> >> as stephen said, in strict policy, users should be run in user_t and >> staff_t, and the "local_login_t" line in "users/root" indicate the >> role of root is "sysadm_r", and the same line in "default_contexts" >> indicate that the role of user is staff_r. >> >> i am confused in above situations. what decide the role and domain of >> user (normal users and root)? > > get_ordered_context_list(3) thanks, Stephen when i modify the "local_login_t" line in "users/root" to: " system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 " the role of root(login through non-[xgdw]dm, e.g. tty 2) is "sysadm_r" but when i modify the "local_login_t" line in "default_contexts" to: " system_r:xdm_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 " the role of root (login through gdm) is still staff_r. why? i think the reason of "bash_profile deny error" is relative to the "gconfd-2 avc error" message, because domains of "staff_r" have not permission "search" root homedir, and then of course can not "perform certain operation" in root HOME. As a result, root can not login through gdm. additionally, in "xserver.fc", the path of gdm seems to be wrong in fedora, gdm in fedora locates in "/usr/sbin/gdm", same with debain and ubuntu. so the type of gdm in fedora, is "bin_t" not "xdm_exec_t", i modify the "xserver.fc" in attachment patch. please correct me if i am wrong > --------------080408030404070604070904 Content-Type: text/x-patch; name="refPolicy-2292-gdmlabel.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="refPolicy-2292-gdmlabel.patch" diff -Nur svnRefpolicy/policy/modules/services/xserver.fc svnRefpolicy-local/policy/modules/services/xserver.fc --- svnRefpolicy/policy/modules/services/xserver.fc 2007-04-16 14:55:36.000000000 +0800 +++ svnRefpolicy-local/policy/modules/services/xserver.fc 2007-05-11 17:28:31.000000000 +0800 @@ -67,6 +67,9 @@ ifdef(`distro_debian', ` /usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0) ') +ifdef(`distro_redhat', ` +/usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0) +') /usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) --------------080408030404070604070904-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.