Base module, modules.conf

Base module, modules.conf

[Cheyenne Solo]

[-- Attachment #1: Type: text/plain, Size: 887 bytes --]

Hello list,

This is my first time writing to the list, and I'm an SELinux newbie.

I'm trying to do some experiments on SELinux that require me to replace the
base module. I have a policy I want to use in its place, but I'm having
trouble on a couple different fronts. The easiest way I can think of to
change the base module is to redefine what makes it up--that is, modify the
modules.conf file. Neither of the makefiles have any conf target, however,
and I have been unable to generate it. I would also like to know how to
generate a base module from scratch.

So my question is: how do I create a base module? How is it different from
regular policy modules? How can I generate the modules.conf file and use it
to modify the base? I have found very little on this in any book or on the
Internet.

Relevant system stats: Fedora 8 running the targeted reference policy.

Thanks,
Ayla

[-- Attachment #2: Type: text/html, Size: 944 bytes --]

Re: Base module, modules.conf

[Stephen Smalley]

On Fri, 2009-01-16 at 12:43 -0500, Cheyenne Solo wrote:
> Hello list,
> 
> This is my first time writing to the list, and I'm an SELinux newbie.
> 
> I'm trying to do some experiments on SELinux that require me to
> replace the base module.

Can you explain why?  Often it turns out that people can in fact do what
they want without replacing the base module these days (particularly
given the merge of strict and targeted policies), so it would be good to
first double check that you truly need to do this.

>  I have a policy I want to use in its place, but I'm having trouble on
> a couple different fronts. The easiest way I can think of to change
> the base module is to redefine what makes it up--that is, modify the
> modules.conf file. Neither of the makefiles have any conf target,
> however, and I have been unable to generate it. I would also like to
> know how to generate a base module from scratch.

What Makefiles are you referring to?  The refpolicy Makefile does have a
conf target.

> So my question is: how do I create a base module? How is it different
> from regular policy modules? How can I generate the modules.conf file
> and use it to modify the base? I have found very little on this in any
> book or on the Internet.
> 
> Relevant system stats: Fedora 8 running the targeted reference policy.

You need to first obtain a policy source tree as your starting point.
If you want to minimize your divergence from the distro-shipped policy,
then download the selinux-policy source RPM (.src.rpm) for your distro,
expand it, and then customize as desired and rebuild it (Dan - is there
a recipe documented somewhere for doing that?).  If you are less
concerned about divergence/compatibility with the distro-shipped policy,
then you can download an upstream refpolicy tarball from
oss.tresys.com/projects/refpolicy and build it, but you'll need to
adjust the upstream build.conf settings (or override them on the
command-line) if you want to match expected behaviors in Fedora.

BTW, Fedora 8 has been EOL'd.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Base module, modules.conf

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 540 bytes --]

On Fri, 2009-01-16 at 14:03 -0500, Stephen Smalley wrote:

> You need to first obtain a policy source tree as your starting point.
> If you want to minimize your divergence from the distro-shipped policy,
> then download the selinux-policy source RPM (.src.rpm) for your distro,
> expand it, and then customize as desired and rebuild it (Dan - is there
> a recipe documented somewhere for doing that?). 

I have created a screen cast that focuses on just that. However, the
file is 200MB and i do not have the ability to host it.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: Base module, modules.conf

[Stephen Smalley]

On Fri, 2009-01-16 at 20:23 +0100, Dominick Grift wrote:
> On Fri, 2009-01-16 at 14:03 -0500, Stephen Smalley wrote:
> 
> > You need to first obtain a policy source tree as your starting point.
> > If you want to minimize your divergence from the distro-shipped policy,
> > then download the selinux-policy source RPM (.src.rpm) for your distro,
> > expand it, and then customize as desired and rebuild it (Dan - is there
> > a recipe documented somewhere for doing that?). 
> 
> I have created a screen cast that focuses on just that. However, the
> file is 200MB and i do not have the ability to host it.

I just meant writing down the sequence of commands to set up a buildable
policy source tree from the .src.rpm.  Screencast seems a bit overkill
for that - it really ought to just be part of the Fedora SELinux FAQ or
Guide IMHO.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Base module, modules.conf

[Jacques Thomas]

Stephen Smalley wrote:
> On Fri, 2009-01-16 at 20:23 +0100, Dominick Grift wrote:
>   
>> On Fri, 2009-01-16 at 14:03 -0500, Stephen Smalley wrote:
>>
>>     
>>> You need to first obtain a policy source tree as your starting point.
>>> If you want to minimize your divergence from the distro-shipped policy,
>>> then download the selinux-policy source RPM (.src.rpm) for your distro,
>>> expand it, and then customize as desired and rebuild it (Dan - is there
>>> a recipe documented somewhere for doing that?). 
>>>       
>> I have created a screen cast that focuses on just that. However, the
>> file is 200MB and i do not have the ability to host it.
>>     
>
> I just meant writing down the sequence of commands to set up a buildable
> policy source tree from the .src.rpm.  Screencast seems a bit overkill
> for that - it really ought to just be part of the Fedora SELinux FAQ or
> Guide IMHO.
>
>   

Here's what works for me to tweak the policy on a Fedora 8 system.

Make sure you have the latest policy package (otherwise, you might not 
be able to get it in source version):
   yum update
   yum install selinux-policy-targeted

Figure out the version of the rpm:
   rpm -qa | grep selinux-policy-targeted

Get the corresponding source rpm:
   yumdownloader --source `rpm -qa | grep policy-targeted`

Voila! The source rpm is in your current directory.

 From there on, regular instructions for rebuilding rpms apply. The 
following is a short tutorial.
   http://www.hacktux.com/fedora/source/rpm

HTH,
Jacques

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Base module, modules.conf

[Stephen Smalley]

On Mon, 2009-01-19 at 15:53 -0500, Jacques Thomas wrote:
> Stephen Smalley wrote:
> > On Fri, 2009-01-16 at 20:23 +0100, Dominick Grift wrote:
> >   
> >> On Fri, 2009-01-16 at 14:03 -0500, Stephen Smalley wrote:
> >>
> >>     
> >>> You need to first obtain a policy source tree as your starting point.
> >>> If you want to minimize your divergence from the distro-shipped policy,
> >>> then download the selinux-policy source RPM (.src.rpm) for your distro,
> >>> expand it, and then customize as desired and rebuild it (Dan - is there
> >>> a recipe documented somewhere for doing that?). 
> >>>       
> >> I have created a screen cast that focuses on just that. However, the
> >> file is 200MB and i do not have the ability to host it.
> >>     
> >
> > I just meant writing down the sequence of commands to set up a buildable
> > policy source tree from the .src.rpm.  Screencast seems a bit overkill
> > for that - it really ought to just be part of the Fedora SELinux FAQ or
> > Guide IMHO.
> >
> >   
> 
> Here's what works for me to tweak the policy on a Fedora 8 system.
> 
> Make sure you have the latest policy package (otherwise, you might not 
> be able to get it in source version):
>    yum update
>    yum install selinux-policy-targeted
> 
> Figure out the version of the rpm:
>    rpm -qa | grep selinux-policy-targeted
> 
> Get the corresponding source rpm:
>    yumdownloader --source `rpm -qa | grep policy-targeted`
> 
> Voila! The source rpm is in your current directory.
> 
>  From there on, regular instructions for rebuilding rpms apply. The 
> following is a short tutorial.
>    http://www.hacktux.com/fedora/source/rpm

I think we need something more specific to the policy, similar to the
instructions for building a custom kernel at
http://fedoraproject.org/wiki/Docs/CustomKernel

Getting a buildable policy tree that matches the Fedora shipped policy
configuration isn't as straightforward as one might like, since the spec
file defers most of the real work to the %install target and specifies
different build.conf settings (via command-line override to make) and
different modules.conf configurations based on the particular policy
type.  The question does seem to keep arising on fedora-selinux-list and
selinux list, so it would be helpful to have it documented somewhere.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Base module, modules.conf

[Joe Nall]

On Jan 20, 2009, at 8:26 AM, Stephen Smalley wrote:

> On Mon, 2009-01-19 at 15:53 -0500, Jacques Thomas wrote:
>> Stephen Smalley wrote:
>>> On Fri, 2009-01-16 at 20:23 +0100, Dominick Grift wrote:
>>>
>>>> On Fri, 2009-01-16 at 14:03 -0500, Stephen Smalley wrote:
>>>>
>>>>
>>>>> You need to first obtain a policy source tree as your starting  
>>>>> point.
>>>>> If you want to minimize your divergence from the distro-shipped  
>>>>> policy,
>>>>> then download the selinux-policy source RPM (.src.rpm) for your  
>>>>> distro,
>>>>> expand it, and then customize as desired and rebuild it (Dan -  
>>>>> is there
>>>>> a recipe documented somewhere for doing that?).
>>>>>
>>>> I have created a screen cast that focuses on just that. However,  
>>>> the
>>>> file is 200MB and i do not have the ability to host it.
>>>>
>>>
>>> I just meant writing down the sequence of commands to set up a  
>>> buildable
>>> policy source tree from the .src.rpm.  Screencast seems a bit  
>>> overkill
>>> for that - it really ought to just be part of the Fedora SELinux  
>>> FAQ or
>>> Guide IMHO.
>>>
>>>
>>
>> Here's what works for me to tweak the policy on a Fedora 8 system.
>>
>> Make sure you have the latest policy package (otherwise, you might  
>> not
>> be able to get it in source version):
>>   yum update
>>   yum install selinux-policy-targeted
>>
>> Figure out the version of the rpm:
>>   rpm -qa | grep selinux-policy-targeted
>>
>> Get the corresponding source rpm:
>>   yumdownloader --source `rpm -qa | grep policy-targeted`
>>
>> Voila! The source rpm is in your current directory.
>>
>> From there on, regular instructions for rebuilding rpms apply. The
>> following is a short tutorial.
>>   http://www.hacktux.com/fedora/source/rpm
>
> I think we need something more specific to the policy, similar to the
> instructions for building a custom kernel at
> http://fedoraproject.org/wiki/Docs/CustomKernel
>
> Getting a buildable policy tree that matches the Fedora shipped policy
> configuration isn't as straightforward as one might like, since the  
> spec
> file defers most of the real work to the %install target and specifies
> different build.conf settings (via command-line override to make) and
> different modules.conf configurations based on the particular policy
> type.  The question does seem to keep arising on fedora-selinux-list  
> and
> selinux list, so it would be helpful to have it documented somewhere.

I'm sure Dan has better mojo, but I:
  - install the src rpm
  - add patches to SOURCE directory
  - patch spec file to incorporate patches in SOURCE
  - build policy rpms using patched spec file

joe



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Base module, modules.conf

[Stephen Smalley]

On Tue, 2009-01-20 at 09:58 -0600, Joe Nall wrote:
> On Jan 20, 2009, at 8:26 AM, Stephen Smalley wrote:
> 
> > On Mon, 2009-01-19 at 15:53 -0500, Jacques Thomas wrote:
> >> Stephen Smalley wrote:
> >>> On Fri, 2009-01-16 at 20:23 +0100, Dominick Grift wrote:
> >>>
> >>>> On Fri, 2009-01-16 at 14:03 -0500, Stephen Smalley wrote:
> >>>>
> >>>>
> >>>>> You need to first obtain a policy source tree as your starting  
> >>>>> point.
> >>>>> If you want to minimize your divergence from the distro-shipped  
> >>>>> policy,
> >>>>> then download the selinux-policy source RPM (.src.rpm) for your  
> >>>>> distro,
> >>>>> expand it, and then customize as desired and rebuild it (Dan -  
> >>>>> is there
> >>>>> a recipe documented somewhere for doing that?).
> >>>>>
> >>>> I have created a screen cast that focuses on just that. However,  
> >>>> the
> >>>> file is 200MB and i do not have the ability to host it.
> >>>>
> >>>
> >>> I just meant writing down the sequence of commands to set up a  
> >>> buildable
> >>> policy source tree from the .src.rpm.  Screencast seems a bit  
> >>> overkill
> >>> for that - it really ought to just be part of the Fedora SELinux  
> >>> FAQ or
> >>> Guide IMHO.
> >>>
> >>>
> >>
> >> Here's what works for me to tweak the policy on a Fedora 8 system.
> >>
> >> Make sure you have the latest policy package (otherwise, you might  
> >> not
> >> be able to get it in source version):
> >>   yum update
> >>   yum install selinux-policy-targeted
> >>
> >> Figure out the version of the rpm:
> >>   rpm -qa | grep selinux-policy-targeted
> >>
> >> Get the corresponding source rpm:
> >>   yumdownloader --source `rpm -qa | grep policy-targeted`
> >>
> >> Voila! The source rpm is in your current directory.
> >>
> >> From there on, regular instructions for rebuilding rpms apply. The
> >> following is a short tutorial.
> >>   http://www.hacktux.com/fedora/source/rpm
> >
> > I think we need something more specific to the policy, similar to the
> > instructions for building a custom kernel at
> > http://fedoraproject.org/wiki/Docs/CustomKernel
> >
> > Getting a buildable policy tree that matches the Fedora shipped policy
> > configuration isn't as straightforward as one might like, since the  
> > spec
> > file defers most of the real work to the %install target and specifies
> > different build.conf settings (via command-line override to make) and
> > different modules.conf configurations based on the particular policy
> > type.  The question does seem to keep arising on fedora-selinux-list  
> > and
> > selinux list, so it would be helpful to have it documented somewhere.
> 
> I'm sure Dan has better mojo, but I:
>   - install the src rpm
>   - add patches to SOURCE directory
>   - patch spec file to incorporate patches in SOURCE
>   - build policy rpms using patched spec file

Yes, that works if you have your changes in the form of a patch and want
to do things the rpm way.  But not so much if you'd just like to create
a buildable source tree that matches the Fedora configuration that you
can then edit at will and build manually (which you might later use as
the basis for creating a patch that you would then be able to add to
the .src.rpm for distribution purposes).  The "add patch file to spec
and rebuild with rpm" is fine for packaging but not so much for
initially developing one's changes, at least in my view.

For many (simpler) packages, you can just do a rpmbuild -bp on the spec
file and you'll have a buildable source tree that you can edit and build
manually.  But not in the case of selinux-policy, where it is building N
different variants of policy during %install and pulling in different
conf files accordingly.

I've done it by hand before in order to make custom changes to a base
module (e.g. defining new kernel classes/perms) for testing purposes,
but it would be nice if the process were captured and maintained as a
recipe somewhere w/o requiring people to reverse engineer it from
the .spec file.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Base module, modules.conf

[Jacques Thomas]

Stephen Smalley wrote:
> On Tue, 2009-01-20 at 09:58 -0600, Joe Nall wrote:
>   
>> On Jan 20, 2009, at 8:26 AM, Stephen Smalley wrote:
>>
>>     
>>> On Mon, 2009-01-19 at 15:53 -0500, Jacques Thomas wrote:
>>>       
>>>> Stephen Smalley wrote:
>>>>         
>>>>> On Fri, 2009-01-16 at 20:23 +0100, Dominick Grift wrote:
>>>>>
>>>>>           
>>>>>> On Fri, 2009-01-16 at 14:03 -0500, Stephen Smalley wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> You need to first obtain a policy source tree as your starting  
>>>>>>> point.
>>>>>>> If you want to minimize your divergence from the distro-shipped  
>>>>>>> policy,
>>>>>>> then download the selinux-policy source RPM (.src.rpm) for your  
>>>>>>> distro,
>>>>>>> expand it, and then customize as desired and rebuild it (Dan -  
>>>>>>> is there
>>>>>>> a recipe documented somewhere for doing that?).
>>>>>>>
>>>>>>>               
>>>>>> I have created a screen cast that focuses on just that. However,  
>>>>>> the
>>>>>> file is 200MB and i do not have the ability to host it.
>>>>>>
>>>>>>             
>>>>> I just meant writing down the sequence of commands to set up a  
>>>>> buildable
>>>>> policy source tree from the .src.rpm.  Screencast seems a bit  
>>>>> overkill
>>>>> for that - it really ought to just be part of the Fedora SELinux  
>>>>> FAQ or
>>>>> Guide IMHO.
>>>>>
>>>>>
>>>>>           
>>>> Here's what works for me to tweak the policy on a Fedora 8 system.
>>>>
>>>> Make sure you have the latest policy package (otherwise, you might  
>>>> not
>>>> be able to get it in source version):
>>>>   yum update
>>>>   yum install selinux-policy-targeted
>>>>
>>>> Figure out the version of the rpm:
>>>>   rpm -qa | grep selinux-policy-targeted
>>>>
>>>> Get the corresponding source rpm:
>>>>   yumdownloader --source `rpm -qa | grep policy-targeted`
>>>>
>>>> Voila! The source rpm is in your current directory.
>>>>
>>>> From there on, regular instructions for rebuilding rpms apply. The
>>>> following is a short tutorial.
>>>>   http://www.hacktux.com/fedora/source/rpm
>>>>         
>>> I think we need something more specific to the policy, similar to the
>>> instructions for building a custom kernel at
>>> http://fedoraproject.org/wiki/Docs/CustomKernel
>>>
>>> Getting a buildable policy tree that matches the Fedora shipped policy
>>> configuration isn't as straightforward as one might like, since the  
>>> spec
>>> file defers most of the real work to the %install target and specifies
>>> different build.conf settings (via command-line override to make) and
>>> different modules.conf configurations based on the particular policy
>>> type.  The question does seem to keep arising on fedora-selinux-list  
>>> and
>>> selinux list, so it would be helpful to have it documented somewhere.
>>>       
>> I'm sure Dan has better mojo, but I:
>>   - install the src rpm
>>   - add patches to SOURCE directory
>>   - patch spec file to incorporate patches in SOURCE
>>   - build policy rpms using patched spec file
>>     
>
> Yes, that works if you have your changes in the form of a patch and want
> to do things the rpm way.  But not so much if you'd just like to create
> a buildable source tree that matches the Fedora configuration that you
> can then edit at will and build manually (which you might later use as
> the basis for creating a patch that you would then be able to add to
> the .src.rpm for distribution purposes).  The "add patch file to spec
> and rebuild with rpm" is fine for packaging but not so much for
> initially developing one's changes, at least in my view.
>
> For many (simpler) packages, you can just do a rpmbuild -bp on the spec
> file and you'll have a buildable source tree that you can edit and build
> manually.  But not in the case of selinux-policy, where it is building N
> different variants of policy during %install and pulling in different
> conf files accordingly.
>
> I've done it by hand before in order to make custom changes to a base
> module (e.g. defining new kernel classes/perms) for testing purposes,
> but it would be nice if the process were captured and maintained as a
> recipe somewhere w/o requiring people to reverse engineer it from
> the .spec file.
>   

This would help me too. :-)
(I am not done reverse-engineering the package build process)

Best,
Jacques

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Base module, modules.conf

[Cheyenne Solo]

[-- Attachment #1: Type: text/plain, Size: 1710 bytes --]

On Fri, Jan 16, 2009 at 2:03 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Fri, 2009-01-16 at 12:43 -0500, Cheyenne Solo wrote:
> > Hello list,
> >
> > This is my first time writing to the list, and I'm an SELinux newbie.
> >
> > I'm trying to do some experiments on SELinux that require me to
> > replace the base module.
>
> Can you explain why?  Often it turns out that people can in fact do what
> they want without replacing the base module these days (particularly
> given the merge of strict and targeted policies), so it would be good to
> first double check that you truly need to do this.


You're quite right; after more fiddling and thinking I've found I can do
what I want (and it's better to do so anyway) with the base policy intact.
I've started using Fedora 7 so I can use the strict policy and its user
mapping capabilities for my (A)RBAC experimentation. While I would still
like to be able to modify the base policy, I can do without.

I have hit a different roadblock, however, dealing with custom user
mappings: I cannot get users I've created to map to SELinux users I've
defined. I've declared the users and their roles and types in a module that
I have installed into the policy. When I added mappings to
/etc/selinux/strict/seusers , either by hand or with semanage, the user ends
up with the context system_u:system_r:xdm_t:SystemHigh-SystemLow. I have
files in the /etc/selinux/strict/contexts/users/ directory for each user and
have put the types and roles appropriately in the default_type file.

How does the login process really determine these mappings, and why would
all of my custom mappings be redirected to system_u:system_r:xdm_t? I am
quite puzzled.

Thanks,
Ayla

[-- Attachment #2: Type: text/html, Size: 2130 bytes --]

Re: Base module, modules.conf

[Dominick Grift]

Op woensdag 04-02-2009 om 15:52 uur [tijdzone -0500], schreef Cheyenne
Solo:

> I've started using Fedora 7 so I can use the strict policy and its
> user mapping capabilities for my (A)RBAC experimentation.

You can use RBAC just as well with Fedora 10. If required you can even
uninstall the unconfined module which will turn your targeted policy
into strict policy. Fedora 7 policy is no longer maintained.

> I have hit a different roadblock, however, dealing with custom user
> mappings: I cannot get users I've created to map to SELinux users I've
> defined. I've declared the users and their roles and types in a module
> that I have installed into the policy. 

Are you sure that this module is proper?

> When I added mappings to /etc/selinux/strict/seusers , either by hand
> or with semanage, the user ends up with the context
> system_u:system_r:xdm_t:SystemHigh-SystemLow. 

Are you sure that the mappings are create properly?

> I have files in the /etc/selinux/strict/contexts/users/ directory for
> each user and have put the types and roles appropriately in the
> default_type file. 

Did you also edit the contexts in the user contexts file? Not sure what
if anything is required in the default_type file.

> How does the login process really determine these mappings, and why
> would all of my custom mappings be redirected to
> system_u:system_r:xdm_t? I am quite puzzled.

Basicly it is the following steps i think.

You create an install a proper user domain.
you add a proper user mapping that has access to your new role.
You add a proper login mapping that maps the Login user to the SELinux
user.
You create a proper default context file. It has the name of the SElinux
user and it has proper default contexts defined in it.

This should, atleast in my view in Fedora 10, do it.

> Thanks,
> Ayla


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Base module, modules.conf

[Stephen Smalley]

On Wed, 2009-02-04 at 15:52 -0500, Cheyenne Solo wrote:
>  
> 
> On Fri, Jan 16, 2009 at 2:03 PM, Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
>          
>         On Fri, 2009-01-16 at 12:43 -0500, Cheyenne Solo wrote:
>         > Hello list,
>         >
>         > This is my first time writing to the list, and I'm an
>         SELinux newbie.
>         >
>         > I'm trying to do some experiments on SELinux that require me
>         to
>         > replace the base module.
>         
>         
>         Can you explain why?  Often it turns out that people can in
>         fact do what
>         they want without replacing the base module these days
>         (particularly
>         given the merge of strict and targeted policies), so it would
>         be good to
>         first double check that you truly need to do this.
> 
> You're quite right; after more fiddling and thinking I've found I can
> do what I want (and it's better to do so anyway) with the base policy
> intact. I've started using Fedora 7 so I can use the strict policy and
> its user mapping capabilities for my (A)RBAC experimentation. While I
> would still like to be able to modify the base policy, I can do
> without.

No need to regress to Fedora 7; as I said, the strict and targeted
policies have been merged into a single policy in Fedora 8 and later
such that you can map users to confined roles and even remove unconfined
altogether if you wish (although that requires care and likely isn't
required for your purposes).  You really should be using a Fedora
release that is still supported, like Fedora 10.

> I have hit a different roadblock, however, dealing with custom user
> mappings: I cannot get users I've created to map to SELinux users I've
> defined. I've declared the users and their roles and types in a module
> that I have installed into the policy. When I added mappings
> to /etc/selinux/strict/seusers , either by hand or with semanage, the
> user ends up with the context
> system_u:system_r:xdm_t:SystemHigh-SystemLow. I have files in
> the /etc/selinux/strict/contexts/users/ directory for each user and
> have put the types and roles appropriately in the default_type file. 
> 
> How does the login process really determine these mappings, and why
> would all of my custom mappings be redirected to
> system_u:system_r:xdm_t? I am quite puzzled.

system_u:system_r:xdm_t is the context of the graphical display manager,
so if you are ending up in that context upon a graphical login, that
means that your graphical display manager did not successfully set the
context to anything for the user session.  It may have logged some
errors to /var/log/messages or /var/log/secure.  It shouldn't have let
you login at all in enforcing mode.

Did you follow the instructions in:
http://oss.tresys.com/projects/refpolicy/wiki/RoleCreation

The general sequence is:
1) Look up the Linux user in the seusers file, thereby obtaining a
SELinux user and a level.  This is handled by the getseuserbyname()
function in libselinux.
2) Get the list of security contexts for that (SELinux user, level) pair
reachable from the caller's context.  This is handled by the
get_ordered_context_list_with_level() function in libselinux.
Internally, this asks the kernel for a list of such contexts based on
policy and then orders and prunes the list based on the default_contexts
file.

There are some sample utilities (getseuser, getdefaultcon) in the
libselinux source tree that can be used to directly exercise those
functions for debugging purposes.

It would help for you to post your actual module and config files.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.