FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-15-2008, 04:36 PM
"prakash hallalli"
 
Default Fwd: :- Problem for mapping between the Linux user to SELinux user for fedora 8

Hi...



Now I am trying to configuring RBAC using MLS (Multilevel Security) Policy for fedora 8.*
Because i have read danwalsh jornal he side MLS policy is more use full for RBAC.


http://danwalsh.livejournal.com/?skip=40
Using RBAC In FC5/MLS Policy

*So i am using MLS policy for RBAC. Here i have installed MLS packages and changed to targeted policy in to mls policy.


Then i have configured the roles for users but i couldn't set the roles
because when i am setting the roles it will display the error message.



Steps to reproduce:



1) Adding the SELinux audit user using semanage command.



# semanage user -a -R staff_r -R auditadm_r -P staff audit_u



2) Here i am checking SELinux user.



[root@turtle2 ~]# semanage user -l



*************** Labeling** MLS/****** MLS/*************************

SELinux User*** Prefix**** MCS Level* MCS Range********************* SELinux Roles



audit_u******** staff***** SystemLow* SystemLow********************* staff_r auditadm_r

root*********** sysadm**** SystemLow* SystemLow:SystemLow-SystemHigh system_r sysadm_r staff_r secadm_r auditadm_r

staff_u******** staff***** SystemLow* SystemLow:SystemLow-SystemHigh sysadm_r staff_r secadm_r auditadm_r

sysadm_u******* sysadm**** SystemLow* SystemLow:SystemLow-SystemHigh sysadm_r

system_u******* user****** SystemLow* SystemLow:SystemLow-SystemHigh system_r

user_u********* user****** SystemLow* SystemLow********************* system_r user_r

[root@turtle2 ~]#



3) Now i am setting the Linux user to SELinux users, when i am setting the
SELinux user it will throw the error message as follows.



[root@turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh prakash

libsemanage.validate_handler: selinux user audit does not exist No such file or directory.

libsemanage.validate_handler: seuser mapping [prakash -> (audit, s0-s15:c0.c1023)] is invalid No such file or directory.

libsemanage.dbase_llist_iterate: could not iterate over records No such file or directory.

/usr/sbin/semanage: Could not add login mapping for prakash

[root@turtle2 ~]#



4) I am using sysadm_r* root information as follows



[root@turtle2 ~]# id

uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh

[root@turtle2 ~]#



5) This is i am getting audit log messages using ausearch command.



[root@turtle2 ~]# ausearch -i -m AVC -sv no

type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386
syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808
a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) comm=gam_server exe=/usr/libexec/gam_server
subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)

type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc:* denied* {
read } for* pid=2060 comm=gam_server path=inotify dev=inotifyfs ino=1
scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023
tcontext=system_ubject_r:inotifyfs_t:s0 tclass=dir



I don't know why its throwing this error. I have searched in to google but i couldn't find.

Please help me what should i do.



Thanks,

Prakash




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-16-2008, 02:09 PM
"prakash hallalli"
 
Default Fwd: :- Problem for mapping between the Linux user to SELinux user for fedora 8

Hi...



Now I am trying to configuring RBAC using MLS (Multilevel Security) Policy for fedora 8.*
Because i have read danwalsh jornal he side MLS policy is more use full for RBAC.



http://danwalsh.livejournal.com/?skip=40
Using RBAC In FC5/MLS Policy

*So i am using MLS policy for RBAC. Here i have installed MLS packages and changed to targeted policy in to mls policy.



Then i have configured the roles for users but i couldn't set the roles
because when i am setting the roles it will display the error message.



Steps to reproduce:



1) Adding the SELinux audit user using semanage command.



# semanage user -a -R staff_r -R auditadm_r -P staff audit_u



2) Here i am checking SELinux user.



[root@turtle2 ~]# semanage user -l



*************** Labeling** MLS/****** MLS/*************************

SELinux User*** Prefix**** MCS Level* MCS Range********************* SELinux Roles



audit_u******** staff***** SystemLow* SystemLow********************* staff_r auditadm_r

root*********** sysadm**** SystemLow* SystemLow:SystemLow-SystemHigh system_r sysadm_r staff_r secadm_r auditadm_r

staff_u******** staff***** SystemLow* SystemLow:SystemLow-SystemHigh sysadm_r staff_r secadm_r auditadm_r

sysadm_u******* sysadm**** SystemLow* SystemLow:SystemLow-SystemHigh sysadm_r

system_u******* user****** SystemLow* SystemLow:SystemLow-SystemHigh system_r

user_u********* user****** SystemLow* SystemLow********************* system_r user_r

[root@turtle2 ~]#



3) Now i am setting the Linux user to SELinux users, when i am setting the
SELinux user it will throw the error message as follows.



[root@turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh prakash

libsemanage.validate_handler: selinux user audit does not exist No such file or directory.

libsemanage.validate_handler: seuser mapping [prakash -> (audit, s0-s15:c0.c1023)] is invalid No such file or directory.

libsemanage.dbase_llist_iterate: could not iterate over records No such file or directory.

/usr/sbin/semanage: Could not add login mapping for prakash

[root@turtle2 ~]#



4) I am using sysadm_r* root information as follows



[root@turtle2 ~]# id

uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh

[root@turtle2 ~]#



5) This is i am getting audit log messages using ausearch command.



[root@turtle2 ~]# ausearch -i -m AVC -sv no

type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386
syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808
a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) comm=gam_server exe=/usr/libexec/gam_server
subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)

type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc:* denied* {
read } for* pid=2060 comm=gam_server path=inotify dev=inotifyfs ino=1
scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023
tcontext=system_ubject_r:inotifyfs_t:s0 tclass=dir



I don't know why its throwing this error. I have searched in to google but i couldn't find.

Please help me what should i do.



Thanks,

Prakash






--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 03:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org