* new user types
@ 2008-02-07 23:14 Jeremiah Jahn
2008-02-08 13:34 ` Daniel J Walsh
2008-02-08 13:59 ` Stephen Smalley
0 siblings, 2 replies; 6+ messages in thread
From: Jeremiah Jahn @ 2008-02-07 23:14 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1951 bytes --]
I can't seem to login as the right user, and I'm not sure what I missed.
I added the following roles and users to my monetra.te file:
#admin roles
role monetra_admin_r types monetra_t;
role monetra_admin_r types monetra_lib_t;
#client roles
role monetra_client_r types monetra_t;
role monetra_client_r types monetra_lib_t;
role monetra_client_r types monetra_client_t;
#monetra users
user monetra_u roles { monetra_client_r monetra_admin_r } level s0 range s0 - s0;
I ran the add login command:
semanage login -a -s monetra_u bob
I get the following output:
[root@xxx ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root s0-s0:c0.c255
system_u system_u s0-s0:c0.c255
bob monetra_u s0
[root@xxx ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
monetra_u user s0 s0 monetra_admin_r monetra_client_r
root sysadm s0 s0-s0:c0.c255 sysadm_r staff_r
staff_u staff s0 s0-s0:c0.c255 sysadm_r staff_r
sysadm_u sysadm s0 s0-s0:c0.c255 sysadm_r
system_u user s0 s0-s0:c0.c255 system_r
unconfined_u unconfined s0 s0-s0:c0.c255 unconfined_r
user_u user s0 s0 user_r
yet when I login I get:
[bob@xxx ~]$ id -Z
system_u:system_r:unconfined_t:s0-s0:c0.c255
thanx for any help you can give.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: new user types 2008-02-07 23:14 new user types Jeremiah Jahn @ 2008-02-08 13:34 ` Daniel J Walsh 2008-02-08 13:59 ` Stephen Smalley 1 sibling, 0 replies; 6+ messages in thread From: Daniel J Walsh @ 2008-02-08 13:34 UTC (permalink / raw) To: Jeremiah Jahn; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremiah Jahn wrote: > I can't seem to login as the right user, and I'm not sure what I missed. > > I added the following roles and users to my monetra.te file: > > > #admin roles > role monetra_admin_r types monetra_t; > role monetra_admin_r types monetra_lib_t; > > #client roles > role monetra_client_r types monetra_t; > role monetra_client_r types monetra_lib_t; > role monetra_client_r types monetra_client_t; > > #monetra users > user monetra_u roles { monetra_client_r monetra_admin_r } level s0 range s0 - s0; > > > > > I ran the add login command: > semanage login -a -s monetra_u bob > > > > I get the following output: > [root@xxx ~]# semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ user_u s0 > root root s0-s0:c0.c255 > system_u system_u s0-s0:c0.c255 > bob monetra_u s0 > > [root@xxx ~]# semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux Roles > > > monetra_u user s0 s0 monetra_admin_r monetra_client_r > root sysadm s0 s0-s0:c0.c255 sysadm_r staff_r > staff_u staff s0 s0-s0:c0.c255 sysadm_r staff_r > sysadm_u sysadm s0 s0-s0:c0.c255 sysadm_r > system_u user s0 s0-s0:c0.c255 system_r > unconfined_u unconfined s0 s0-s0:c0.c255 unconfined_r > user_u user s0 s0 user_r > > yet when I login I get: > [bob@xxx ~]$ id -Z > system_u:system_r:unconfined_t:s0-s0:c0.c255 > > > thanx for any help you can give. > > You need to create a contexts file for monetra_u. /etc/selinux/targeted/contexts/users/monetra_u Then set it up for the appropriate commands xguest_u looks like system_r:local_login_t xguest_r:xguest_t:s0 system_r:remote_login_t xguest_r:xguest_t:s0 system_r:sshd_t xguest_r:xguest_t:s0 system_r:crond_t xguest_r:xguest_crond_t:s0 system_r:xdm_t xguest_r:xguest_t:s0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkesWmkACgkQrlYvE4MpobMjxgCfYEe9Sq1qlHRR4D3SkMViIeqG KdcAoJ2mrdBBcxNoWVsy9ITDXInaYdUs =dhVO -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: new user types 2008-02-07 23:14 new user types Jeremiah Jahn 2008-02-08 13:34 ` Daniel J Walsh @ 2008-02-08 13:59 ` Stephen Smalley 2008-02-08 18:13 ` Jeremiah Jahn 1 sibling, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2008-02-08 13:59 UTC (permalink / raw) To: Jeremiah Jahn; +Cc: selinux On Thu, 2008-02-07 at 17:14 -0600, Jeremiah Jahn wrote: > I can't seem to login as the right user, and I'm not sure what I missed. > > I added the following roles and users to my monetra.te file: > > > #admin roles > role monetra_admin_r types monetra_t; > role monetra_admin_r types monetra_lib_t; role-type statements are only required for domain types, not file types. Files use the generic object_r role. > #client roles > role monetra_client_r types monetra_t; > role monetra_client_r types monetra_lib_t; > role monetra_client_r types monetra_client_t; > > #monetra users > user monetra_u roles { monetra_client_r monetra_admin_r } level s0 range s0 - s0; > > > > > I ran the add login command: > semanage login -a -s monetra_u bob > > > > I get the following output: > [root@xxx ~]# semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ user_u s0 > root root s0-s0:c0.c255 > system_u system_u s0-s0:c0.c255 > bob monetra_u s0 > > [root@xxx ~]# semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux Roles > > > monetra_u user s0 s0 monetra_admin_r monetra_client_r > root sysadm s0 s0-s0:c0.c255 sysadm_r staff_r > staff_u staff s0 s0-s0:c0.c255 sysadm_r staff_r > sysadm_u sysadm s0 s0-s0:c0.c255 sysadm_r > system_u user s0 s0-s0:c0.c255 system_r > unconfined_u unconfined s0 s0-s0:c0.c255 unconfined_r > user_u user s0 s0 user_r > > yet when I login I get: > [bob@xxx ~]$ id -Z > system_u:system_r:unconfined_t:s0-s0:c0.c255 > > > thanx for any help you can give. First, by login, I assume you mean a real login (via console login, gdm, or ssh), not just a su. su doesn't change SELinux context in RHEL 5. Second, have you authorized a domain transition from the domain in which the login process is running to your new domain? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: new user types 2008-02-08 13:59 ` Stephen Smalley @ 2008-02-08 18:13 ` Jeremiah Jahn 2008-02-08 19:13 ` Stephen Smalley 0 siblings, 1 reply; 6+ messages in thread From: Jeremiah Jahn @ 2008-02-08 18:13 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 3134 bytes --] On Fri, 2008-02-08 at 08:59 -0500, Stephen Smalley wrote: > On Thu, 2008-02-07 at 17:14 -0600, Jeremiah Jahn wrote: > > I can't seem to login as the right user, and I'm not sure what I missed. > > > > I added the following roles and users to my monetra.te file: > > > > > > #admin roles > > role monetra_admin_r types monetra_t; > > role monetra_admin_r types monetra_lib_t; > > role-type statements are only required for domain types, not file types. > Files use the generic object_r role. thanx. > > > #client roles > > role monetra_client_r types monetra_t; > > role monetra_client_r types monetra_lib_t; > > role monetra_client_r types monetra_client_t; > > > > #monetra users > > user monetra_u roles { monetra_client_r monetra_admin_r } level s0 range s0 - s0; > > > > > > > > > > I ran the add login command: > > semanage login -a -s monetra_u bob > > > > > > > > I get the following output: > > [root@xxx ~]# semanage login -l > > > > Login Name SELinux User MLS/MCS Range > > > > __default__ user_u s0 > > root root s0-s0:c0.c255 > > system_u system_u s0-s0:c0.c255 > > bob monetra_u s0 > > > > [root@xxx ~]# semanage user -l > > > > Labeling MLS/ MLS/ > > SELinux User Prefix MCS Level MCS Range SELinux Roles > > > > > > monetra_u user s0 s0 monetra_admin_r monetra_client_r > > root sysadm s0 s0-s0:c0.c255 sysadm_r staff_r > > staff_u staff s0 s0-s0:c0.c255 sysadm_r staff_r > > sysadm_u sysadm s0 s0-s0:c0.c255 sysadm_r > > system_u user s0 s0-s0:c0.c255 system_r > > unconfined_u unconfined s0 s0-s0:c0.c255 unconfined_r > > user_u user s0 s0 user_r > > > > yet when I login I get: > > [bob@xxx ~]$ id -Z > > system_u:system_r:unconfined_t:s0-s0:c0.c255 > > > > > > thanx for any help you can give. > > First, by login, I assume you mean a real login (via console login, gdm, > or ssh), not just a su. su doesn't change SELinux context in RHEL 5. correct. > > Second, have you authorized a domain transition from the domain in which > the login process is running to your new domain? can you give me a quick pointer as to where to go to find an example of this? userdomain.te didn't help, nor locallogin.te. I need to both do it from the console, and from ssh. And one other dumb question, what the heck are prefixes, and how do they apply to this? > Command, n.: Statement presented by a human and accepted by a computer in such a manner as to make the human feel as if he is in control. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: new user types 2008-02-08 18:13 ` Jeremiah Jahn @ 2008-02-08 19:13 ` Stephen Smalley 2008-02-08 20:12 ` Jeremiah Jahn 0 siblings, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2008-02-08 19:13 UTC (permalink / raw) To: Jeremiah Jahn; +Cc: selinux, Christopher J. PeBenito On Fri, 2008-02-08 at 12:13 -0600, Jeremiah Jahn wrote: > On Fri, 2008-02-08 at 08:59 -0500, Stephen Smalley wrote: > > On Thu, 2008-02-07 at 17:14 -0600, Jeremiah Jahn wrote: > > > I can't seem to login as the right user, and I'm not sure what I missed. > > > > > > I added the following roles and users to my monetra.te file: > > > > > > > > > #admin roles > > > role monetra_admin_r types monetra_t; > > > role monetra_admin_r types monetra_lib_t; > > > > role-type statements are only required for domain types, not file types. > > Files use the generic object_r role. > thanx. > > > > > > > #client roles > > > role monetra_client_r types monetra_t; > > > role monetra_client_r types monetra_lib_t; > > > role monetra_client_r types monetra_client_t; > > > > > > #monetra users > > > user monetra_u roles { monetra_client_r monetra_admin_r } level s0 range s0 - s0; > > > > > > > > > > > > > > > I ran the add login command: > > > semanage login -a -s monetra_u bob > > > > > > > > > > > > I get the following output: > > > [root@xxx ~]# semanage login -l > > > > > > Login Name SELinux User MLS/MCS Range > > > > > > __default__ user_u s0 > > > root root s0-s0:c0.c255 > > > system_u system_u s0-s0:c0.c255 > > > bob monetra_u s0 > > > > > > [root@xxx ~]# semanage user -l > > > > > > Labeling MLS/ MLS/ > > > SELinux User Prefix MCS Level MCS Range SELinux Roles > > > > > > > > > monetra_u user s0 s0 monetra_admin_r monetra_client_r > > > root sysadm s0 s0-s0:c0.c255 sysadm_r staff_r > > > staff_u staff s0 s0-s0:c0.c255 sysadm_r staff_r > > > sysadm_u sysadm s0 s0-s0:c0.c255 sysadm_r > > > system_u user s0 s0-s0:c0.c255 system_r > > > unconfined_u unconfined s0 s0-s0:c0.c255 unconfined_r > > > user_u user s0 s0 user_r > > > > > > yet when I login I get: > > > [bob@xxx ~]$ id -Z > > > system_u:system_r:unconfined_t:s0-s0:c0.c255 > > > > > > > > > thanx for any help you can give. > > > > First, by login, I assume you mean a real login (via console login, gdm, > > or ssh), not just a su. su doesn't change SELinux context in RHEL 5. > correct. > > > > > Second, have you authorized a domain transition from the domain in which > > the login process is running to your new domain? > can you give me a quick pointer as to where to go to find an example of > this? userdomain.te didn't help, nor locallogin.te. I need to both do it > from the console, and from ssh. And one other dumb question, what the > heck are prefixes, and how do they apply to this? (cc'ing Chris, refpolicy maintainer) The login domains call the userdom_spec_domtrans_all_users() or unpriv_users() interfaces to allow the domain transition to happen to user domains, where user domains have the 'userdomain' attribute (when declared via the userdom_base_user_template() interface or one of its callers). You also need to allow the role transition to happen and to ensure that the constraint passes. All of which should be covered if using userdom_base_user_template() or one of its callers to define your user domain. The prefix is the string prepended to the home directory types for the user domain. Conventionally, this is the same as the user domain prefix, e.g. user_t has prefix "user", thus yielding user_home_dir_t, user_home_t, etc for the home directory labeling. Chris can likely comment on the best way to create new roles presently; there has been work done to simplify it and allow tools like SLIDE to help automate it. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: new user types 2008-02-08 19:13 ` Stephen Smalley @ 2008-02-08 20:12 ` Jeremiah Jahn 0 siblings, 0 replies; 6+ messages in thread From: Jeremiah Jahn @ 2008-02-08 20:12 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, Christopher J. PeBenito [-- Attachment #1: Type: text/plain, Size: 5136 bytes --] That worked: userdom_unpriv_user_template(client) user client_u roles { client_r } level s0 range s0 - s0; plus semanage login -a -s client_u bob Gave me what I want. I found it easier to look through userdomain.if than the website. I also had to remove some of the types I'd already declared since the template will re-declare them according to the prefix. thanx alot, -jj- On Fri, 2008-02-08 at 14:13 -0500, Stephen Smalley wrote: > On Fri, 2008-02-08 at 12:13 -0600, Jeremiah Jahn wrote: > > On Fri, 2008-02-08 at 08:59 -0500, Stephen Smalley wrote: > > > On Thu, 2008-02-07 at 17:14 -0600, Jeremiah Jahn wrote: > > > > I can't seem to login as the right user, and I'm not sure what I missed. > > > > > > > > I added the following roles and users to my monetra.te file: > > > > > > > > > > > > #admin roles > > > > role monetra_admin_r types monetra_t; > > > > role monetra_admin_r types monetra_lib_t; > > > > > > role-type statements are only required for domain types, not file types. > > > Files use the generic object_r role. > > thanx. > > > > > > > > > > > #client roles > > > > role monetra_client_r types monetra_t; > > > > role monetra_client_r types monetra_lib_t; > > > > role monetra_client_r types monetra_client_t; > > > > > > > > #monetra users > > > > user monetra_u roles { monetra_client_r monetra_admin_r } level s0 range s0 - s0; > > > > > > > > > > > > > > > > > > > > I ran the add login command: > > > > semanage login -a -s monetra_u bob > > > > > > > > > > > > > > > > I get the following output: > > > > [root@xxx ~]# semanage login -l > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > > > > > __default__ user_u s0 > > > > root root s0-s0:c0.c255 > > > > system_u system_u s0-s0:c0.c255 > > > > bob monetra_u s0 > > > > > > > > [root@xxx ~]# semanage user -l > > > > > > > > Labeling MLS/ MLS/ > > > > SELinux User Prefix MCS Level MCS Range SELinux Roles > > > > > > > > > > > > monetra_u user s0 s0 monetra_admin_r monetra_client_r > > > > root sysadm s0 s0-s0:c0.c255 sysadm_r staff_r > > > > staff_u staff s0 s0-s0:c0.c255 sysadm_r staff_r > > > > sysadm_u sysadm s0 s0-s0:c0.c255 sysadm_r > > > > system_u user s0 s0-s0:c0.c255 system_r > > > > unconfined_u unconfined s0 s0-s0:c0.c255 unconfined_r > > > > user_u user s0 s0 user_r > > > > > > > > yet when I login I get: > > > > [bob@xxx ~]$ id -Z > > > > system_u:system_r:unconfined_t:s0-s0:c0.c255 > > > > > > > > > > > > thanx for any help you can give. > > > > > > First, by login, I assume you mean a real login (via console login, gdm, > > > or ssh), not just a su. su doesn't change SELinux context in RHEL 5. > > correct. > > > > > > > > Second, have you authorized a domain transition from the domain in which > > > the login process is running to your new domain? > > can you give me a quick pointer as to where to go to find an example of > > this? userdomain.te didn't help, nor locallogin.te. I need to both do it > > from the console, and from ssh. And one other dumb question, what the > > heck are prefixes, and how do they apply to this? > > (cc'ing Chris, refpolicy maintainer) > > The login domains call the userdom_spec_domtrans_all_users() or > unpriv_users() interfaces to allow the domain transition to happen to > user domains, where user domains have the 'userdomain' attribute (when > declared via the userdom_base_user_template() interface or one of its > callers). > > You also need to allow the role transition to happen and to ensure that > the constraint passes. All of which should be covered if using > userdom_base_user_template() or one of its callers to define your user > domain. > > The prefix is the string prepended to the home directory types for the > user domain. Conventionally, this is the same as the user domain > prefix, e.g. user_t has prefix "user", thus yielding user_home_dir_t, > user_home_t, etc for the home directory labeling. > > Chris can likely comment on the best way to create new roles presently; > there has been work done to simplify it and allow tools like SLIDE to > help automate it. > > -- > Stephen Smalley > National Security Agency The President publicly apologized today to all those offended by his brother's remark, "There's more Arabs in this country than there is Jews!". Those offended include Arabs, Jews, and English teachers. -- Baltimore, Channel 11 News, on Jimmy Carter [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-02-08 20:12 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-02-07 23:14 new user types Jeremiah Jahn 2008-02-08 13:34 ` Daniel J Walsh 2008-02-08 13:59 ` Stephen Smalley 2008-02-08 18:13 ` Jeremiah Jahn 2008-02-08 19:13 ` Stephen Smalley 2008-02-08 20:12 ` Jeremiah Jahn
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.