Things were going great until...

Things were going great until...

[Lisa R.]

Hello.

I am on a Debian Etch box with SELinux in permissive mode.  I am using the Strict policy.

Of course I have no problem adding a user with something like:
useradd -c "SE Linux test user 1" -m -d /home/setest_1 -g users -s /bin/bash -u 1005 setest_1

I then create a new SElinux user group:
semanage user -a -R 'user_r' -P selinuxtest selinuxtest_u

Finally I create the login for setest_1:
semanage login -a -s selinuxtest_u setest_1

***I am doing this for example purposes***

The other day this all worked great. I verified by logging in as setest_1 and ensuring the security context showed selinuxtest_u.

However, later I created a very small policy module and added a new type mysetype_t.

I created the .pp file with make -c Makefile
I installed the .pp file with semodule -i mymodule.pp

I applied that type to everything under the /lisa directory with:
semanage fcontext -a -t mysetype_t "/lisa(/.*)?"

I verified the type was applied with ls -Z.

So no problems yet...

Today when I login as setest_1 the security context is that of what it defaults to when root creates the user.  The login I applied the other day is gone.

HOWEVER, if I do a semanage user -l and semanage login -l everything looks as it should. I see that the login for setest_1 is selinuxtest_u.

I tried to semanage fcontext -a -t mysetype_t "/somedirectory(/.*)?"
and that didn't work either.

HOWEVER, I did a restorecon on each individual file and that seemed to work.  

What is going on or how do I "restorecon" my logins so I can see any new logins I applied?

Thanks,
Lisa





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Login Identities not applied when logging in...

[Lisa R.]

Hello again.

I realized that I need to run a restorecon after I semanage fcontext so that resolved my labeling issue.

However, I still have a problem with my logins.  They aren't being applied when I login.

When I semanage user -l as root I see my custom "selinux user" associated with the custom label.

When I semange login -l as root I see my custom "selinux user" associated with the "login name" that I created with adduser.

However, when I login and run id -Z as my new user I see the default security context set when I created the user under root.

All I am trying to do is apply a new login to one of my users but it won't take.

I tried a reboot...

Did I break something or do I need to apply something?

This worked the other day without a problem (likely story but it did).

Thanks,
Lisa
j

---- "Lisa R." <lraykow@cox.net> wrote: 
> Hello.
> 
> I am on a Debian Etch box with SELinux in permissive mode.  I am using the Strict policy.
> 
> Of course I have no problem adding a user with something like:
> useradd -c "SE Linux test user 1" -m -d /home/setest_1 -g users -s /bin/bash -u 1005 setest_1
> 
> I then create a new SElinux user group:
> semanage user -a -R 'user_r' -P selinuxtest selinuxtest_u
> 
> Finally I create the login for setest_1:
> semanage login -a -s selinuxtest_u setest_1
> 
> ***I am doing this for example purposes***
> 
> The other day this all worked great. I verified by logging in as setest_1 and ensuring the security context showed selinuxtest_u.
> 
> However, later I created a very small policy module and added a new type mysetype_t.
> 
> I created the .pp file with make -c Makefile
> I installed the .pp file with semodule -i mymodule.pp
> 
> I applied that type to everything under the /lisa directory with:
> semanage fcontext -a -t mysetype_t "/lisa(/.*)?"
> 
> I verified the type was applied with ls -Z.
> 
> So no problems yet...
> 
> Today when I login as setest_1 the security context is that of what it defaults to when root creates the user.  The login I applied the other day is gone.
> 
> HOWEVER, if I do a semanage user -l and semanage login -l everything looks as it should. I see that the login for setest_1 is selinuxtest_u.
> 
> I tried to semanage fcontext -a -t mysetype_t "/somedirectory(/.*)?"
> and that didn't work either.
> 
> HOWEVER, I did a restorecon on each individual file and that seemed to work.  
> 
> What is going on or how do I "restorecon" my logins so I can see any new logins I applied?
> 
> Thanks,
> Lisa
> 
> 
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Login Identities not applied when logging in...

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lisa R. wrote:
> Hello again.
> 
> I realized that I need to run a restorecon after I semanage fcontext so that resolved my labeling issue.
> 
> However, I still have a problem with my logins.  They aren't being applied when I login.
> 
> When I semanage user -l as root I see my custom "selinux user" associated with the custom label.
> 
> When I semange login -l as root I see my custom "selinux user" associated with the "login name" that I created with adduser.
> 
> However, when I login and run id -Z as my new user I see the default security context set when I created the user under root.
> 
> All I am trying to do is apply a new login to one of my users but it won't take.
> 
> I tried a reboot...
> 
> Did I break something or do I need to apply something?
> 
> This worked the other day without a problem (likely story but it did).
>
I you want to change the default context that the root user logs in
with, you will need to edit /etc/selinux/*/contexts/users/root

> Thanks,
> Lisa
> j
> 
> ---- "Lisa R." <lraykow@cox.net> wrote: 
>> Hello.
>>
>> I am on a Debian Etch box with SELinux in permissive mode.  I am using the Strict policy.
>>
>> Of course I have no problem adding a user with something like:
>> useradd -c "SE Linux test user 1" -m -d /home/setest_1 -g users -s /bin/bash -u 1005 setest_1
>>
>> I then create a new SElinux user group:
>> semanage user -a -R 'user_r' -P selinuxtest selinuxtest_u
>>
>> Finally I create the login for setest_1:
>> semanage login -a -s selinuxtest_u setest_1
>>
>> ***I am doing this for example purposes***
>>
>> The other day this all worked great. I verified by logging in as setest_1 and ensuring the security context showed selinuxtest_u.
>>
>> However, later I created a very small policy module and added a new type mysetype_t.
>>
>> I created the .pp file with make -c Makefile
>> I installed the .pp file with semodule -i mymodule.pp
>>
>> I applied that type to everything under the /lisa directory with:
>> semanage fcontext -a -t mysetype_t "/lisa(/.*)?"
>>
>> I verified the type was applied with ls -Z.
>>
>> So no problems yet...
>>
>> Today when I login as setest_1 the security context is that of what it defaults to when root creates the user.  The login I applied the other day is gone.
>>
>> HOWEVER, if I do a semanage user -l and semanage login -l everything looks as it should. I see that the login for setest_1 is selinuxtest_u.
>>
>> I tried to semanage fcontext -a -t mysetype_t "/somedirectory(/.*)?"
>> and that didn't work either.
>>
>> HOWEVER, I did a restorecon on each individual file and that seemed to work.  
>>
>> What is going on or how do I "restorecon" my logins so I can see any new logins I applied?
>>
>> Thanks,
>> Lisa
>>
>>
>>
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEUEARECAAYFAkfvLQIACgkQrlYvE4MpobMAPACWIePIB5I2yfWq6jFn4S8J+cLd
ZACfequgBnpKVXE4UO2NuY3f3kY1XOc=
=FALo
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Login Identities not applied when logging in...

[Martin Orr]

On 29/03/08 18:52, Lisa R. wrote:
> I realized that I need to run a restorecon after I semanage fcontext so
> that resolved my labeling issue.
> 
> However, I still have a problem with my logins.  They aren't being
> applied when I login.
> 
> When I semanage user -l as root I see my custom "selinux user" associated
> with the custom label.
> 
> When I semange login -l as root I see my custom "selinux user" associated
> with the "login name" that I created with adduser.
> 
> However, when I login and run id -Z as my new user I see the default
> security context set when I created the user under root.

This is because the PAM in etch (and even sid) is too old to work with
semanage login.  You need to set the login context by editing
/etc/selinux/refpolicy-strict/context/users/<user>
(I forget the details).

Alternatively if you want to use semanage login (I had some problems with
the old way, but I forget what) you need to upgrade to PAM 0.99.9 or better.
 I have made Debian packages of this at
http://www.martinorr.name/2007/pam/
and Vaclav Ovsik has some at
http://linux.i.cz/debian/pool/main/p/pam/
You will probable need to rebuild these for etch.

> All I am trying to do is apply a new login to one of my users but it
> won't take.
> 
> I tried a reboot...
> 
> Did I break something or do I need to apply something?
> 
> This worked the other day without a problem (likely story but it did).

I have no idea why this was - it shouldn't.

Best wishes,

-- 
Martin Orr

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Things were going great until...

[Stephen Smalley]

On Fri, 2008-03-28 at 23:05 -0700, Lisa R. wrote:
> Hello.
> 
> I am on a Debian Etch box with SELinux in permissive mode.  I am using the Strict policy.
> 
> Of course I have no problem adding a user with something like:
> useradd -c "SE Linux test user 1" -m -d /home/setest_1 -g users -s /bin/bash -u 1005 setest_1
> 
> I then create a new SElinux user group:
> semanage user -a -R 'user_r' -P selinuxtest selinuxtest_u

Isn't there already a SELinux user defined in your policy that maps to
user_r that you can use?  Like user_u?

> Finally I create the login for setest_1:
> semanage login -a -s selinuxtest_u setest_1

>From the rest of the thread, it sounds like your pam (and presumably
sshd) just lacks the support for seusers and thus ignores semanage login
entries.

In which case you can either update your pam and friends, or you can
just directly add a semanage user entry for setest_1 and drop the
indirection of selinuxtest_u altogether.  

> ***I am doing this for example purposes***
> 
> The other day this all worked great. I verified by logging in as setest_1 and ensuring the security context showed selinuxtest_u.
> 
> However, later I created a very small policy module and added a new type mysetype_t.
> 
> I created the .pp file with make -c Makefile
> I installed the .pp file with semodule -i mymodule.pp
> 
> I applied that type to everything under the /lisa directory with:
> semanage fcontext -a -t mysetype_t "/lisa(/.*)?"
> 
> I verified the type was applied with ls -Z.
> 
> So no problems yet...
> 
> Today when I login as setest_1 the security context is that of what it defaults to when root creates the user.  The login I applied the other day is gone.
> 
> HOWEVER, if I do a semanage user -l and semanage login -l everything looks as it should. I see that the login for setest_1 is selinuxtest_u.
> 
> I tried to semanage fcontext -a -t mysetype_t "/somedirectory(/.*)?"
> and that didn't work either.
> 
> HOWEVER, I did a restorecon on each individual file and that seemed to work.  
> 
> What is going on or how do I "restorecon" my logins so I can see any new logins I applied?
> 
> Thanks,
> Lisa
> 
> 
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.