default user roles

default user roles

[Jeremiah Jahn]

[-- Attachment #1: Type: text/plain, Size: 1611 bytes --]

I can't seem to get the login to set the proper initial role for a user.
Every time I login, I end up as auditadm, and not secstaff.

I have the following in my policy:

userdom_unpriv_user_template(secstaff)
userdom_role_change_template(secstaff, secadm)
userdom_role_change_template(secstaff, auditadm)
allow secstaff_t devlog_t:sock_file write;
allow secstaff_t newrole_t:process { siginh noatsecure rlimitinh };
allow secstaff_t syslogd_t:unix_dgram_socket sendto;
allow secstaff_t unconfined_tmp_t:dir { write search rmdir remove_name create getattr add_name };
allow secstaff_t user_home_dir_t:dir { read getattr search };
userdom_manage_generic_user_home_content_files(secstaff_t)
userdom_read_generic_user_home_content_files(secstaff_t)

############################################################
# Set default role for sec staff <-- not quite :)
#
role secstaff_r types secstaff_t;

############################################################
# define roles the secstaff can transition to
#
user secstaff_u roles { secstaff_r secadm_r auditadm_r } level s0 range s0 - s0;
	




In the olden days in England, you could be hung for stealing a sheep or
a loaf of bread. However, if a sheep stole a loaf of bread and gave it
to you, you would only be tried for receiving, a crime punishable by
forty lashes with the cat or the dog, whichever was handy. If you stole
a dog and were caught, you were punished with twelve rabbit punches,
although it was hard to find rabbits big enough or strong enough to
punch you. -- Mike Harding, "The Armchair Anarchist's Almanac"

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: default user roles

[Stephen Smalley]

On Fri, 2008-02-22 at 12:15 -0600, Jeremiah Jahn wrote:
> I can't seem to get the login to set the proper initial role for a user.
> Every time I login, I end up as auditadm, and not secstaff.

kernel policy just defines what is allowed, not what is the default, for
user contexts.

The defaults are determined by
examining /etc/selinux/$SELINUXTYPE/contexts/default_contexts
and /etc/selinux/$SELINUXTYPE/contexts/users/<seuser> (optional).

User context computation has been a source of subtle issues in the past;
I'd like to revisit the approach but we haven't gotten around to it.

> I have the following in my policy:
> 
> userdom_unpriv_user_template(secstaff)
> userdom_role_change_template(secstaff, secadm)
> userdom_role_change_template(secstaff, auditadm)
> allow secstaff_t devlog_t:sock_file write;
> allow secstaff_t newrole_t:process { siginh noatsecure rlimitinh };
> allow secstaff_t syslogd_t:unix_dgram_socket sendto;
> allow secstaff_t unconfined_tmp_t:dir { write search rmdir remove_name create getattr add_name };
> allow secstaff_t user_home_dir_t:dir { read getattr search };
> userdom_manage_generic_user_home_content_files(secstaff_t)
> userdom_read_generic_user_home_content_files(secstaff_t)
> 
> ############################################################
> # Set default role for sec staff <-- not quite :)
> #
> role secstaff_r types secstaff_t;
> 
> ############################################################
> # define roles the secstaff can transition to
> #
> user secstaff_u roles { secstaff_r secadm_r auditadm_r } level s0 range s0 - s0;
> 	
> 
> 
> 
> 
> In the olden days in England, you could be hung for stealing a sheep or
> a loaf of bread. However, if a sheep stole a loaf of bread and gave it
> to you, you would only be tried for receiving, a crime punishable by
> forty lashes with the cat or the dog, whichever was handy. If you stole
> a dog and were caught, you were punished with twelve rabbit punches,
> although it was hard to find rabbits big enough or strong enough to
> punch you. -- Mike Harding, "The Armchair Anarchist's Almanac"
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default user roles

[Christopher J. PeBenito]

On Fri, 2008-02-22 at 12:15 -0600, Jeremiah Jahn wrote:
> I can't seem to get the login to set the proper initial role for a user.
> Every time I login, I end up as auditadm, and not secstaff.
> 
> I have the following in my policy:
[...]
> user secstaff_u roles { secstaff_r secadm_r auditadm_r } level s0 range s0 - s0;

You want to make the file /etc/selinux/NAME/contexts/users/secstaff_u
with the default contexts that you want.  You probably want at least
this:

system_r:local_login_t:s0     auditadm_r:auditadm_t:s0
system_r:remote_login_t:s0    auditadm_r:auditadm_t:s0
system_r:sshd_t:s0            auditadm_r:auditadm_t:s0

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default user roles

[Jeremiah Jahn]

[-- Attachment #1: Type: text/plain, Size: 1174 bytes --]

Since I'm working with the refpolicy source can I set it up there, or
does this have to be a file separate from the source?

On Fri, 2008-02-22 at 14:01 -0500, Christopher J. PeBenito wrote:
> On Fri, 2008-02-22 at 12:15 -0600, Jeremiah Jahn wrote:
> > I can't seem to get the login to set the proper initial role for a user.
> > Every time I login, I end up as auditadm, and not secstaff.
> > 
> > I have the following in my policy:
> [...]
> > user secstaff_u roles { secstaff_r secadm_r auditadm_r } level s0 range s0 - s0;
> 
> You want to make the file /etc/selinux/NAME/contexts/users/secstaff_u
> with the default contexts that you want.  You probably want at least
> this:
> 
> system_r:local_login_t:s0     auditadm_r:auditadm_t:s0
> system_r:remote_login_t:s0    auditadm_r:auditadm_t:s0
> system_r:sshd_t:s0            auditadm_r:auditadm_t:s0
> 
PLUNDERER'S THEME (to Supercalifragilisticexpialidocius) Pillage, rape,
and loot and burn, but all in moderation. If you do the things we say,
then you'll soon rule the nation. Kill your foes and enemies and then
kill your relations. Pillage, rape, and loot and burn, but all in
moderation.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: default user roles

[Christopher J. PeBenito]

On Fri, 2008-02-22 at 13:09 -0600, Jeremiah Jahn wrote:
> Since I'm working with the refpolicy source can I set it up there, or
> does this have to be a file separate from the source?

The equivalent file in the refpolicy source tree would be
config/appconfig-(mcs|mls)/secstaff_u_default_contexts

> On Fri, 2008-02-22 at 14:01 -0500, Christopher J. PeBenito wrote:
> > On Fri, 2008-02-22 at 12:15 -0600, Jeremiah Jahn wrote:
> > > I can't seem to get the login to set the proper initial role for a user.
> > > Every time I login, I end up as auditadm, and not secstaff.
> > > 
> > > I have the following in my policy:
> > [...]
> > > user secstaff_u roles { secstaff_r secadm_r auditadm_r } level s0 range s0 - s0;
> > 
> > You want to make the file /etc/selinux/NAME/contexts/users/secstaff_u
> > with the default contexts that you want.  You probably want at least
> > this:
> > 
> > system_r:local_login_t:s0     auditadm_r:auditadm_t:s0
> > system_r:remote_login_t:s0    auditadm_r:auditadm_t:s0
> > system_r:sshd_t:s0            auditadm_r:auditadm_t:s0

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default user roles

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremiah Jahn wrote:
> I can't seem to get the login to set the proper initial role for a user.
> Every time I login, I end up as auditadm, and not secstaff.
> 
> I have the following in my policy:
> 
> userdom_unpriv_user_template(secstaff)
> userdom_role_change_template(secstaff, secadm)
> userdom_role_change_template(secstaff, auditadm)
> allow secstaff_t devlog_t:sock_file write;
> allow secstaff_t newrole_t:process { siginh noatsecure rlimitinh };
> allow secstaff_t syslogd_t:unix_dgram_socket sendto;
> allow secstaff_t unconfined_tmp_t:dir { write search rmdir remove_name create getattr add_name };
> allow secstaff_t user_home_dir_t:dir { read getattr search };
> userdom_manage_generic_user_home_content_files(secstaff_t)
> userdom_read_generic_user_home_content_files(secstaff_t)
> 
> ############################################################
> # Set default role for sec staff <-- not quite :)
> #
> role secstaff_r types secstaff_t;
> 
> ############################################################
> # define roles the secstaff can transition to
> #
> user secstaff_u roles { secstaff_r secadm_r auditadm_r } level s0 range s0 - s0;
> 	
> 
> 
> 
> 
> In the olden days in England, you could be hung for stealing a sheep or
> a loaf of bread. However, if a sheep stole a loaf of bread and gave it
> to you, you would only be tried for receiving, a crime punishable by
> forty lashes with the cat or the dog, whichever was handy. If you stole
> a dog and were caught, you were punished with twelve rabbit punches,
> although it was hard to find rabbits big enough or strong enough to
> punch you. -- Mike Harding, "The Armchair Anarchist's Almanac"
You probably need a

/etc/selinux/TYPE/contexts/users/secstaff_u
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke/HXwACgkQrlYvE4MpobOX5ACeO5fHUGU3f4xqttOd/YktKDTG
eVMAn2XUtWC6zeLZEkybzGMUQqIDUZkA
=6Hjz
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.