I cannot change my shell context

All of lore.kernel.org
 help / color / mirror / Atom feed

* I cannot change my shell context
@ 2009-09-02  3:07 zheyeung
  2009-09-02 13:59 ` Dennis Wronka
  0 siblings, 1 reply; 4+ messages in thread
From: zheyeung @ 2009-09-02  3:07 UTC (permalink / raw)
  To: fedora-selinux-list; +Cc: selinux

[-- Attachment #1: Type: text/plain, Size: 1516 bytes --]

hi , every body ,I install selinux-policy-targeted in my F11,and run in enforce mode.
now I want to change selinux context of /tmp/test,but  failed.I thought current shell domain was unconfined_t. then I intend to change my shell context to root:sysadm_r: sysadm_t ,but also failed. 
my project team plan to develop selinux policy for our system based on selinux-policy.src.rpm. I guess is  this package have not been developed? If it has been developed ,why I cannot change to sysadm_r: sysadm_t? 

----------------------------------------------------------------------------

[root@localhost ~]# ls -lZ /tmp/testselinux
root root unconfined_u:object_r:user_t:user_tmp_t: s0 /tmp/testselinux

[root@localhost ~]#chcon unconfined_u:object_r:mytest_t /tmp/testselinux
chcon:failed to change context of '/tmp/testselinux' to 'unconfined_u:object_r:testselinux: s0 : permission denied

## here mytest_t defined in myapp.pp,which has successfully loaded by "semodule -i myapp.pp"

[root@localhost ~]# newrole -r sysadm_r -t sysadm_t
unconfined_u:unconfined_r:unconfined_t: s0 is not valid context

[root@localhost ~]# semanage login -m -s root -r s0-s0:c0.c1023 root

after reboot, graphic terminal cannot run. audit says that system_u:system_r: xdm_t require "read" permission for system_u:object_r:httpd_sys_content_t.

[root@localhost ~]# id
context= root:unconfined_r:unconfined_t: s0-s0:c0-c1023

[root@localhost ~]#  newrole -r sysadm_r -t sysadm_t
failed to exec shell: permission denied
2009-09-02 

zheyeung 

[-- Attachment #2: Type: text/html, Size: 2603 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: I cannot change my shell context
  2009-09-02  3:07 zheyeung
@ 2009-09-02 13:59 ` Dennis Wronka
  0 siblings, 0 replies; 4+ messages in thread
From: Dennis Wronka @ 2009-09-02 13:59 UTC (permalink / raw)
  To: zheyeung; +Cc: fedora-selinux-list, selinux

[-- Attachment #1: Type: Text/Plain, Size: 1916 bytes --]

In Fedora users run unconfined, which, from my understand, means more or less 
without restrictions imposed by SELinux.
Thus changing to sysadm_r shouldn't be necessary in the first place.

That you cannot change the context probably is because that context isn't 
defined by the policy.

> hi , every body ,I install selinux-policy-targeted in my F11,and run in
> enforce mode. now I want to change selinux context of /tmp/test,but 
> failed.I thought current shell domain was unconfined_t. then I intend to
> change my shell context to root:sysadm_r: sysadm_t ,but also failed. my
> project team plan to develop selinux policy for our system based on
> selinux-policy.src.rpm. I guess is  this package have not been developed?
> If it has been developed ,why I cannot change to sysadm_r: sysadm_t?
>
> ---------------------------------------------------------------------------
>-
>
> [root@localhost ~]# ls -lZ /tmp/testselinux
> root root unconfined_u:object_r:user_t:user_tmp_t: s0 /tmp/testselinux
>
> [root@localhost ~]#chcon unconfined_u:object_r:mytest_t /tmp/testselinux
> chcon:failed to change context of '/tmp/testselinux' to
> 'unconfined_u:object_r:testselinux: s0 : permission denied
>
> ## here mytest_t defined in myapp.pp,which has successfully loaded by
> "semodule -i myapp.pp"
>
> [root@localhost ~]# newrole -r sysadm_r -t sysadm_t
> unconfined_u:unconfined_r:unconfined_t: s0 is not valid context
>
> [root@localhost ~]# semanage login -m -s root -r s0-s0:c0.c1023 root
>
> after reboot, graphic terminal cannot run. audit says that
> system_u:system_r: xdm_t require "read" permission for
> system_u:object_r:httpd_sys_content_t.
>
> [root@localhost ~]# id
> context= root:unconfined_r:unconfined_t: s0-s0:c0-c1023
>
> [root@localhost ~]#  newrole -r sysadm_r -t sysadm_t
> failed to exec shell: permission denied
> 2009-09-02
>
>
>
> zheyeung

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: I cannot change my shell context
       [not found] <CIEOKAFOMGPNJIPMMMAHAEDJCCAA.remmolt@zwartsenberg.eu>
@ 2009-09-03 14:59 ` Dennis Wronka
  2009-09-04 13:02   ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: Dennis Wronka @ 2009-09-03 14:59 UTC (permalink / raw)
  To: Remmolt G. Zwartsenberg; +Cc: selinux

[-- Attachment #1: Type: Text/Plain, Size: 2743 bytes --]

Sorry, but I seem to be missing your point.

> i use python as middleware between Windows and Linux partitions.
> the only 'root' account is used by cron (and 2 64 bit Intel Xeons, of
> course)
>
> All users scream for windows, this is why i hate userspace issues,
> especially @ Shell.
>
> ~remmolt
>
> -----Oorspronkelijk bericht-----
> Van: owner-selinux@tycho.nsa.gov
> [mailto:owner-selinux@tycho.nsa.gov]Namens Dennis Wronka
> Verzonden: Wednesday, September 02, 2009 3:59 PM
> Aan: zheyeung
> CC: fedora-selinux-list; selinux
> Onderwerp: Re: I cannot change my shell context
>
>
> In Fedora users run unconfined, which, from my understand, means more or
> less
> without restrictions imposed by SELinux.
> Thus changing to sysadm_r shouldn't be necessary in the first place.
>
> That you cannot change the context probably is because that context isn't
> defined by the policy.
>
> > hi , every body ,I install selinux-policy-targeted in my F11,and run in
> > enforce mode. now I want to change selinux context of /tmp/test,but
> > failed.I thought current shell domain was unconfined_t. then I intend to
> > change my shell context to root:sysadm_r: sysadm_t ,but also failed. my
> > project team plan to develop selinux policy for our system based on
> > selinux-policy.src.rpm. I guess is  this package have not been developed?
> > If it has been developed ,why I cannot change to sysadm_r: sysadm_t?
> >
> > -------------------------------------------------------------------------
> >-
>
> -
>
> >-
> >
> > [root@localhost ~]# ls -lZ /tmp/testselinux
> > root root unconfined_u:object_r:user_t:user_tmp_t: s0 /tmp/testselinux
> >
> > [root@localhost ~]#chcon unconfined_u:object_r:mytest_t /tmp/testselinux
> > chcon:failed to change context of '/tmp/testselinux' to
> > 'unconfined_u:object_r:testselinux: s0 : permission denied
> >
> > ## here mytest_t defined in myapp.pp,which has successfully loaded by
> > "semodule -i myapp.pp"
> >
> > [root@localhost ~]# newrole -r sysadm_r -t sysadm_t
> > unconfined_u:unconfined_r:unconfined_t: s0 is not valid context
> >
> > [root@localhost ~]# semanage login -m -s root -r s0-s0:c0.c1023 root
> >
> > after reboot, graphic terminal cannot run. audit says that
> > system_u:system_r: xdm_t require "read" permission for
> > system_u:object_r:httpd_sys_content_t.
> >
> > [root@localhost ~]# id
> > context= root:unconfined_r:unconfined_t: s0-s0:c0-c1023
> >
> > [root@localhost ~]#  newrole -r sysadm_r -t sysadm_t
> > failed to exec shell: permission denied
> > 2009-09-02
> >
> >
> >
> > zheyeung
>
> Geen virus gevonden in het binnenkomende-bericht.
> Gecontroleerd door AVG - www.avg.com
> Versie: 8.5.409 / Virusdatabase: 270.13.76/2343 - datum van uitgifte:
> 09/03/09 05:50:00

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: I cannot change my shell context
  2009-09-03 14:59 ` I cannot change my shell context Dennis Wronka
@ 2009-09-04 13:02   ` Daniel J Walsh
  0 siblings, 0 replies; 4+ messages in thread
From: Daniel J Walsh @ 2009-09-04 13:02 UTC (permalink / raw)
  To: Dennis Wronka; +Cc: Remmolt G. Zwartsenberg, selinux

First off sysadm_r:sysadm_t is only used by people trying to run in a strict policy mode.   Most people use targeted and login as unconfined_t.  If your system has you logging in as something other then unconfined_t then you might have a bug in your configuration.

When using SELinux, you usually do not change your "context" manually.  You usually write transition rules.  A transition rules says something like, when unconfined_t domain executes a file labeled firefox_exec_t it will transition to firefox_t.

So the user does not need to do something like runcon -t firefox_t /usr/bin/firefox.

If you are using commands like runcon to change the context of applications, there are rules in policy that govern what labels you can transition to, and what roles you can change too.

If you are running as unconfined_r, and you try to run an app with a role of sysadm_r, this might get denied.

Finally only certain types can be assigned to a process, you are not allow to assign a file type to a process.  So something like 

rucon -t firefox_exec_t /usr/bin/firefox

Would be rejected since firefox_exec_t is a file type not a process type.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2009-09-04 13:02 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <CIEOKAFOMGPNJIPMMMAHAEDJCCAA.remmolt@zwartsenberg.eu>
2009-09-03 14:59 ` I cannot change my shell context Dennis Wronka
2009-09-04 13:02   ` Daniel J Walsh
2009-09-02  3:07 zheyeung
2009-09-02 13:59 ` Dennis Wronka

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.