FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-25-2009, 09:35 AM
Dominick Grift
 
Default Fwd: SELinux user login problem

On Wed, 2009-02-25 at 16:01 +0530, prakash hallalli wrote:
>
> Hi All,
>
> I have created 'myuser' user and created custom module policy
> for user.
> I have installed successfully module, but when i logging myuser
> in
> i will get bash prompt.
>
> I have followed as below steps for creating module.
>
> #vi myuser.te
> policy_module(myuser, 0.0.1)
> role myuser_r;
> userdom_unpriv_user_templete(myuser)
>
> #make *-f /usr/share/selinux/devel/Makefile
> #sudo semodule *i myuser.pp
> #semanage user *a *L s0 *r s0*s0 *L "myuser1_r" *P user myuser1
>
> #useradd *Z myuser1 myuser1
>
> I did all the step when i try login in system following error will
> display.
>
> gtt login: myuser
> password: XXXXXX
>
> -bash: /home/myuser/.bash_profile: Permission denied
> -bash-3.1$
>
> Please give what should i have to do.

1. Create a source policy module:
_________________________________

mkdir ~/myuser; cd ~/myuser;
echo "policy_module(myuser, 0.0.1)" > myuser.te;
echo "role myuser_r;" >> myuser.te;
echo "userdom_unpriv_user_template(myuser)" >> myuser.te;

2. Build the source policy module:
__________________________________

make -f /usr/share/selinux/devel/Makefile

3. Install the binary policy module:
____________________________________

sudo semodule -i myuser.pp

4. Create default contexts for myuser:
______________________________________

echo "system_r:local_login_t:s0 myuser_r:myuser_t:s0"
> /etc/selinux/targeted/contexts/users/myuser
echo "system_r:remote_login_t:s0 myuser_r:myuser_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser
echo "system_r:sshd_t:s0 myuser_r:myuser_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser
echo "system_r:crond_t:s0 myuser_r:myuser_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser
echo "system_r:xdm_t:s0 myuser_r:myuser_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser
echo "myuser_r:myuser_su_t:s0 myuser_r:myuser_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser
echo "myuser_r:myuser_sudo_t:s0 myuser_r:myuser_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser
echo "system_r:initrc_su_t:s0 myuser_r:myuser_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser
echo "myuser_r:myuser_t:s0 myuser_r:myuser_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser

5. Create a SELinux user mapping for myuser:
____________________________________________

sudo semanage user -a -L s0 -r s0-s0 -R "myuser_r" -P user myuser

6. Add new myuser user for prakash:
___________________________________

sudo useradd -Z myuser prakash



> Thanks,
> Prakash.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-25-2009, 02:47 PM
Daniel J Walsh
 
Default Fwd: SELinux user login problem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

prakash hallalli wrote:
> Hi All,
>
> I have created 'myuser' user and created custom module policy for
> user.
> I have installed successfully module, but when i logging myuser in
> i will get bash prompt.
>
> I have followed as below steps for creating module.
>
> #vi myuser.te
> policy_module(myuser, 0.0.1)
> role myuser_r;
> userdom_unpriv_user_templete(myuser)
>
> #make *-f /usr/share/selinux/devel/Makefile
> #sudo semodule *i myuser.pp
> #semanage user *a *L s0 *r s0*s0 *L "myuser1_r" *P user myuser1
> #useradd *Z myuser1 myuser1
>
> I did all the step when i try login in system following error will display.
>
> gtt login: myuser
> password: XXXXXX
>
> -bash: /home/myuser/.bash_profile: Permission denied
> -bash-3.1$
>
> Please give what should i have to do.
>
> Thanks,
> Prakash.
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Which OS and Version.

Depending on the policy you might need to relabe the homedir to get the
labels correct.

restorecon -R -v /home

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmlaCEACgkQrlYvE4MpobMMqACgyOEwLuvH0x gp2I97QXOtNLEa
YP4AnRe8ozJhduWstWubPIO3qxptGO8E
=UjzM
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-26-2009, 03:53 PM
prakash hallalli
 
Default Fwd: SELinux user login problem

Hi All,

******* I am using CentOS-5 x86_64, I have followed what u have sent the steps.
******* But still i am getting same user login problem. I am not able to login*****
* * * * user properly in system. **

********
***** These are i have followed the steps.

* ** 1. Create a source policy module:-
*
***** #cd /home/prakash
***** #vi prakash.te
******* policy_module(prakash, 0.0.1)
******* role prakash_r;

******* userdom_unpriv_user_template(prakash);
*******
****** 2. Build the source policy module:

******* #make -f /usr/share/selinux/devel/Makefile



****** 3. Install the binary policy module:



****** #semodule -i prakash.pp

**** 4. Create default contexts for prakash:
***
****** #cd /etc/selinux/targeted/contexts/users
****** #vi prakash
******* system_r:system_local_login_t:s0** prakash_rrakash_t:s0

******* system_r:remote_login_t:s0********** * prakash_rrakash_t:s0
******* system_r:sshd_t:s0************************* prakash_rrakash_t:s0
******* system_r:crond_t:s0 ******************** ** prakash_rrakash_t:s0

******* system_r:xdm_t:s0 * *********************** prakash_rrakash_t:s0
******* prakash_rrakash_su_t:s0************* prakash_rrakash_t:s0
******* prakash_rrakash_sudo_t:s0********* prakash_rrakash_t:s0

******* system_r:initrc_su_t:s0******************** prakash_rrakash_t:s0
******* prakash_rrakash_t:s0******************** prakash_rrakash_t:s0

5. Create a SELinux user mapping for prakash:



**** #semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user prakash



6. Add new prakash user for user1:
*


**** #useradd -Z prakash user1

7. when i will try to login in the system, will get permission denied message.

gtt login: user1
password: XXXXXX

*-bash:* /home/user1/.bash_profile: Permission denied


-bash-3.1$id
uid=524(user1) gid=525(user1) groups=525(user1) context=prakashrakash_rrakash_t

* I tryed* to one more user then all so i got same problem. I am not sure what i did* the mistakes, Please help me what i have to do.


Thanks,
Prakash, k, h.

On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



prakash hallalli wrote:

> Hi All,

>

> * * * *I have created 'myuser' *user and *created custom module policy for

> user.

> * * * *I have installed successfully module, but when i logging myuser in

> * * i will get bash prompt.

>

> * * * *I have followed *as below steps for creating module.

>

> * *#vi myuser.te

> * * * * * * * * * * * * *policy_module(myuser, 0.0.1)

> * * * * * * * * * * * * *role myuser_r;

> * * * * * * * * * * * * *userdom_unpriv_user_templete(myuser)

>

> #make *-f /usr/share/selinux/devel/Makefile

> #sudo semodule *i myuser.pp

> #semanage user *a *L s0 *r s0*s0 *L "myuser1_r" *P user myuser1

> #useradd *Z myuser1 myuser1

>

> I did all the step when i try login in system following error will display.

>

> gtt login: myuser

> password: XXXXXX

>

> -bash: */home/myuser/.bash_profile: Permission denied

> -bash-3.1$

>

> Please give what should i have to do.

>

> Thanks,

> Prakash.

>

>

>

> ------------------------------------------------------------------------

>

> --

> fedora-selinux-list mailing list

> fedora-selinux-list@redhat.com

> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Which OS and Version.



Depending on the policy you might need to relabe the homedir to get the

labels correct.



restorecon -R -v /home



-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (GNU/Linux)

Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org



iEYEARECAAYFAkmlaCEACgkQrlYvE4MpobMMqACgyOEwLuvH0x gp2I97QXOtNLEa

YP4AnRe8ozJhduWstWubPIO3qxptGO8E

=UjzM

-----END PGP SIGNATURE-----



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-27-2009, 06:06 PM
Daniel J Walsh
 
Default Fwd: SELinux user login problem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

prakash hallalli wrote:
> Hi All,
>
> I am using CentOS-5 x86_64, I have followed what u have sent the
> steps.
> But still i am getting same user login problem. I am not able to
> login
> user properly in system.
>
> These are i have followed the steps.
>
> 1. Create a source policy module:-
>
> #cd /home/prakash
> #vi prakash.te
> policy_module(prakash, 0.0.1)
> role prakash_r;
> userdom_unpriv_user_template(prakash);
>
> 2. Build the source policy module:
>
> #make -f /usr/share/selinux/devel/Makefile
>
> 3. Install the binary policy module:
>
> #semodule -i prakash.pp
>
> 4. Create default contexts for prakash:
>
> #cd /etc/selinux/targeted/contexts/users
> #vi prakash
> system_r:system_local_login_t:s0 prakash_rrakash_t:s0
> system_r:remote_login_t:s0 prakash_rrakash_t:s0
> system_r:sshd_t:s0 prakash_rrakash_t:s0
> system_r:crond_t:s0 prakash_rrakash_t:s0
> system_r:xdm_t:s0 prakash_rrakash_t:s0
> prakash_rrakash_su_t:s0 prakash_rrakash_t:s0
> prakash_rrakash_sudo_t:s0 prakash_rrakash_t:s0
> system_r:initrc_su_t:s0 prakash_rrakash_t:s0
> prakash_rrakash_t:s0 prakash_rrakash_t:s0
>
> 5. Create a SELinux user mapping for prakash:
>
> #semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user prakash
>
> 6. Add new prakash user for user1:
>
> #useradd -Z prakash user1
>
> 7. when i will try to login in the system, will get permission denied
> message.
>
> gtt login: user1
> password: XXXXXX
>
> -bash: /home/user1/.bash_profile: Permission denied
> -bash-3.1$id
> uid=524(user1) gid=525(user1) groups=525(user1)
> context=prakashrakash_rrakash_t
>
> I tryed to one more user then all so i got same problem. I am not sure
> what i did the mistakes, Please help me what i have to do.
>
> Thanks,
> Prakash, k, h.
>
> On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
> prakash hallalli wrote:
>>>> Hi All,
>>>>
>>>> I have created 'myuser' user and created custom module policy
> for
>>>> user.
>>>> I have installed successfully module, but when i logging myuser in
>>>> i will get bash prompt.
>>>>
>>>> I have followed as below steps for creating module.
>>>>
>>>> #vi myuser.te
>>>> policy_module(myuser, 0.0.1)
>>>> role myuser_r;
>>>> userdom_unpriv_user_templete(myuser)
>>>>
>>>> #make *-f /usr/share/selinux/devel/Makefile
>>>> #sudo semodule *i myuser.pp
>>>> #semanage user *a *L s0 *r s0*s0 *L "myuser1_r" *P user myuser1
>>>> #useradd *Z myuser1 myuser1
>>>>
>>>> I did all the step when i try login in system following error will
> display.
>>>> gtt login: myuser
>>>> password: XXXXXX
>>>>
>>>> -bash: /home/myuser/.bash_profile: Permission denied
>>>> -bash-3.1$
>>>>
>>>> Please give what should i have to do.
>>>>
>>>> Thanks,
>>>> Prakash.
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Which OS and Version.
>
> Depending on the policy you might need to relabe the homedir to get the
> labels correct.
>
> restorecon -R -v /home
>
>>

> ------------------------------------------------------------------------

> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Please attach the AVC messages from /var/log/audit/audit.log.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmoOc0ACgkQrlYvE4MpobNI/QCeOM9/9g9s3qIEb/b+w5gdGF3e
VxYAnROI42+yd2xSycJJPqEVjovwMuVA
=zXsG
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 10:35 AM
prakash hallalli
 
Default Fwd: SELinux user login problem

Hi All,
*
Thanks for replay to me.** This is am getting audit messages form /var/log/audit/audit.log.

type=AVC msg=audit(1235820249.704:255): avc:* denied* { rlimitinh } for* pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process

type=AVC msg=audit(1235820249.704:255): avc:* denied* { noatsecure } for* pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1235820249.704:255): arch=c000003e syscall=59 success=yes exit=0 a0=402269 a1=7fff186d7030 a2=7fff186d9550 a3=22 items=0 ppid=1 pid=4296 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

type=USER_AUTH msg=audit(1235820253.552:256): user pid=4296 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: authentication acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)'

type=USER_ACCT msg=audit(1235820253.555:257): user pid=4296 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: accounting acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)'

type=LOGIN msg=audit(1235820253.560:258): login pid=4296 uid=0 old auid=4294967295 new auid=527
type=USER_ROLE_CHANGE msg=audit(1235820253.567:259): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=prakashrakash_rrakash_t:s0 selected-context=prakashrakash_rrakash_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)'

type=USER_START msg=audit(1235820253.568:260): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: session open acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)'

type=CRED_ACQ msg=audit(1235820253.568:261): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: setcred acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)'

type=USER_LOGIN msg=audit(1235820253.570:262): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='uid=527: exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)'

type=AVC msg=audit(1235820275.060:263): avc:* denied* { siginh } for* pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1235820275.060:263): avc:* denied* { rlimitinh } for* pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process

type=AVC msg=audit(1235820275.060:263): avc:* denied* { noatsecure } for* pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1235820275.060:263): arch=c000003e syscall=59 success=yes exit=0 a0=402269 a1=7fff1bcb84a0 a2=7fff1bcba9c0 a3=22 items=0 ppid=1 pid=4132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)


Thanks,

Prakah

On Sat, Feb 28, 2009 at 12:36 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



prakash hallalli wrote:

> Hi All,

>

> * * * * I am using CentOS-5 x86_64, I have followed what u have sent the

> steps.

> * * * * But still i am getting same user login problem. I am not able to

> login

> * * * * user properly in system.

>

> * * * These are i have followed the steps.

>

> * * *1. Create a source policy module:-

>

> * * * #cd /home/prakash

> * * * #vi prakash.te

> * * * * policy_module(prakash, 0.0.1)

> * * * * role prakash_r;

> * * * * userdom_unpriv_user_template(prakash);

>

> * * * *2. Build the source policy module:

>

> * * * * #make -f /usr/share/selinux/devel/Makefile

>

> * * * *3. Install the binary policy module:

>

> * * * *#semodule -i prakash.pp

>

> * * *4. Create default contexts for prakash:

>

> * * * *#cd /etc/selinux/targeted/contexts/users

> * * * *#vi prakash

> * * * * system_r:system_local_login_t:s0 * prakash_rrakash_t:s0

> * * * * system_r:remote_login_t:s0 * * * * * * prakash_rrakash_t:s0

> * * * * system_r:sshd_t:s0 * * * * * * * * * * * * *prakash_rrakash_t:s0

> * * * * system_r:crond_t:s0 * * * * * * * * * * * * prakash_rrakash_t:s0

> * * * * system_r:xdm_t:s0 * * * * * * * * * * * * * prakash_rrakash_t:s0

> * * * * prakash_rrakash_su_t:s0 * * * * * * *prakash_rrakash_t:s0

> * * * * prakash_rrakash_sudo_t:s0 * * * * *prakash_rrakash_t:s0

> * * * * system_r:initrc_su_t:s0 * * * * * * * * * * prakash_rrakash_t:s0

> * * * * prakash_rrakash_t:s0 * * * * * * * * * * prakash_rrakash_t:s0

>

> 5. Create a SELinux user mapping for prakash:

>

> * * *#semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user prakash

>

> 6. Add new prakash user for user1:

>

> * * *#useradd -Z prakash user1

>

> 7. when i will try to login in the system, will get permission denied

> message.

>

> gtt login: user1

> password: XXXXXX

>

> *-bash: */home/user1/.bash_profile: Permission denied

> -bash-3.1$id

> uid=524(user1) gid=525(user1) groups=525(user1)

> context=prakashrakash_rrakash_t

>

> * I tryed *to one more user then all so i got same problem. I am not sure

> what i did *the mistakes, Please help me what i have to do.

>

> Thanks,

> Prakash, k, h.

>

> On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:

>

> prakash hallalli wrote:

>>>> Hi All,

>>>>

>>>> * * * *I have created 'myuser' *user and *created custom module policy

> for

>>>> user.

>>>> * * * *I have installed successfully module, but when i logging myuser in

>>>> * * i will get bash prompt.

>>>>

>>>> * * * *I have followed *as below steps for creating module.

>>>>

>>>> * *#vi myuser.te

>>>> * * * * * * * * * * * * *policy_module(myuser, 0.0.1)

>>>> * * * * * * * * * * * * *role myuser_r;

>>>> * * * * * * * * * * * * *userdom_unpriv_user_templete(myuser)

>>>>

>>>> #make *-f /usr/share/selinux/devel/Makefile

>>>> #sudo semodule *i myuser.pp

>>>> #semanage user *a *L s0 *r s0*s0 *L "myuser1_r" *P user myuser1

>>>> #useradd *Z myuser1 myuser1

>>>>

>>>> I did all the step when i try login in system following error will

> display.

>>>> gtt login: myuser

>>>> password: XXXXXX

>>>>

>>>> -bash: */home/myuser/.bash_profile: Permission denied

>>>> -bash-3.1$

>>>>

>>>> Please give what should i have to do.

>>>>

>>>> Thanks,

>>>> Prakash.

>>>>

>>>>

>>>>

>>>> ------------------------------------------------------------------------

>>>>

>>>> --

>>>> fedora-selinux-list mailing list

>>>> fedora-selinux-list@redhat.com

>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

> Which OS and Version.

>

> Depending on the policy you might need to relabe the homedir to get the

> labels correct.

>

> restorecon -R -v /home

>

>>



> ------------------------------------------------------------------------



> --

> fedora-selinux-list mailing list

> fedora-selinux-list@redhat.com

> https://www.redhat.com/mailman/listinfo/fedora-selinux-list



Please attach the AVC messages from /var/log/audit/audit.log.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (GNU/Linux)

Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org



iEYEARECAAYFAkmoOc0ACgkQrlYvE4MpobNI/QCeOM9/9g9s3qIEb/b+w5gdGF3e

VxYAnROI42+yd2xSycJJPqEVjovwMuVA

=zXsG

-----END PGP SIGNATURE-----



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 12:54 PM
Dominick Grift
 
Default Fwd: SELinux user login problem

On Sat, 2009-02-28 at 17:05 +0530, prakash hallalli wrote:
> Hi All,
>
> Thanks for replay to me. This is am getting audit messages
> form /var/log/audit/audit.log.
>
> type=AVC msg=audit(1235820249.704:255): avc: denied { rlimitinh }
> for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1235820249.704:255): avc: denied { noatsecure }
> for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1235820249.704:255): arch=c000003e syscall=59
> success=yes exit=0 a0=402269 a1=7fff186d7030 a2=7fff186d9550 a3=22
> items=0 ppid=1 pid=4296 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 comm="login" exe="/bin/login"
> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
> type=USER_AUTH msg=audit(1235820253.552:256): user pid=4296 uid=0
> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='PAM: authentication acct="user1" : exe="/bin/login" (hostname=?,
> addr=?, terminal=tty4 res=success)'
> type=USER_ACCT msg=audit(1235820253.555:257): user pid=4296 uid=0
> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='PAM: accounting acct="user1" : exe="/bin/login" (hostname=?,
> addr=?, terminal=tty4 res=success)'
> type=LOGIN msg=audit(1235820253.560:258): login pid=4296 uid=0 old
> auid=4294967295 new auid=527
> type=USER_ROLE_CHANGE msg=audit(1235820253.567:259): user pid=4296
> uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='pam: default-context=prakashrakash_rrakash_t:s0
> selected-context=prakashrakash_rrakash_t:s0:
> exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)'
> type=USER_START msg=audit(1235820253.568:260): user pid=4296 uid=0
> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM:
> session open acct="user1" : exe="/bin/login" (hostname=?, addr=?,
> terminal=tty4 res=success)'
> type=CRED_ACQ msg=audit(1235820253.568:261): user pid=4296 uid=0
> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM:
> setcred acct="user1" : exe="/bin/login" (hostname=?, addr=?,
> terminal=tty4 res=success)'
> type=USER_LOGIN msg=audit(1235820253.570:262): user pid=4296 uid=0
> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='uid=527: exe="/bin/login" (hostname=?, addr=?, terminal=tty4
> res=success)'
> type=AVC msg=audit(1235820275.060:263): avc: denied { siginh } for
> pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1235820275.060:263): avc: denied { rlimitinh }
> for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1235820275.060:263): avc: denied { noatsecure }
> for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1235820275.060:263): arch=c000003e syscall=59
> success=yes exit=0 a0=402269 a1=7fff1bcb84a0 a2=7fff1bcba9c0 a3=22
> items=0 ppid=1 pid=4132 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="login" exe="/bin/login"
> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
>
> Thanks,
>
> Prakah

The issue is that RHEL5 targeted policy is not designed to target user
domains.

The avc denials that you provided do not give me a clue about what is
stopping this from working.

It may well be that the denials responsible is hidden.

You can expose hidden denials using :

# semodule -b /usr/share/selinux/targeted/enableaudit.pp

To restore the defaults you would execute:

# semodule -b /usr/share/selinux/targeted/base.pp

After you have exposed the hidden avc denials you may be presented with
more clues in audit.log as to what is stopping functionality.

But again, the big issue here is that RHEL5 targeted policy is not
designed to target users.

This functionality does work in Fedora 9 and up.

hth , Dominick

> On Sat, Feb 28, 2009 at 12:36 AM, Daniel J Walsh <dwalsh@redhat.com>
> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> prakash hallalli wrote:
> > Hi All,
> >
> > I am using CentOS-5 x86_64, I have followed what u
> have sent the
> > steps.
> > But still i am getting same user login problem. I am
> not able to
> > login
> > user properly in system.
> >
> > These are i have followed the steps.
> >
> > 1. Create a source policy module:-
> >
> > #cd /home/prakash
> > #vi prakash.te
> > policy_module(prakash, 0.0.1)
> > role prakash_r;
> > userdom_unpriv_user_template(prakash);
> >
> > 2. Build the source policy module:
> >
> > #make -f /usr/share/selinux/devel/Makefile
> >
> > 3. Install the binary policy module:
> >
> > #semodule -i prakash.pp
> >
> > 4. Create default contexts for prakash:
> >
> > #cd /etc/selinux/targeted/contexts/users
> > #vi prakash
> > system_r:system_local_login_t:s0
> prakash_rrakash_t:s0
> > system_r:remote_login_t:s0
> prakash_rrakash_t:s0
> > system_r:sshd_t:s0
> prakash_rrakash_t:s0
> > system_r:crond_t:s0
> prakash_rrakash_t:s0
> > system_r:xdm_t:s0
> prakash_rrakash_t:s0
> > prakash_rrakash_su_t:s0
> prakash_rrakash_t:s0
> > prakash_rrakash_sudo_t:s0
> prakash_rrakash_t:s0
> > system_r:initrc_su_t:s0
> prakash_rrakash_t:s0
> > prakash_rrakash_t:s0
> prakash_rrakash_t:s0
> >
> > 5. Create a SELinux user mapping for prakash:
> >
> > #semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user
> prakash
> >
> > 6. Add new prakash user for user1:
> >
> > #useradd -Z prakash user1
> >
> > 7. when i will try to login in the system, will get
> permission denied
> > message.
> >
> > gtt login: user1
> > password: XXXXXX
> >
> > -bash: /home/user1/.bash_profile: Permission denied
> > -bash-3.1$id
> > uid=524(user1) gid=525(user1) groups=525(user1)
> > context=prakashrakash_rrakash_t
> >
> > I tryed to one more user then all so i got same problem.
> I am not sure
> > what i did the mistakes, Please help me what i have to do.
> >
> > Thanks,
> > Prakash, k, h.
> >
> > On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh
> <dwalsh@redhat.com> wrote:
> >
>
>
> > prakash hallalli wrote:
> >>>> Hi All,
> >>>>
> >>>> I have created 'myuser' user and created custom
> module policy
> > for
> >>>> user.
> >>>> I have installed successfully module, but when i
> logging myuser in
> >>>> i will get bash prompt.
> >>>>
> >>>> I have followed as below steps for creating
> module.
> >>>>
> >>>> #vi myuser.te
> >>>> policy_module(myuser, 0.0.1)
> >>>> role myuser_r;
> >>>>
> userdom_unpriv_user_templete(myuser)
> >>>>
> >>>> #make *-f /usr/share/selinux/devel/Makefile
> >>>> #sudo semodule *i myuser.pp
> >>>> #semanage user *a *L s0 *r s0*s0 *L "myuser1_r" *P user
> myuser1
> >>>> #useradd *Z myuser1 myuser1
> >>>>
> >>>> I did all the step when i try login in system following
> error will
> > display.
> >>>> gtt login: myuser
> >>>> password: XXXXXX
> >>>>
> >>>> -bash: /home/myuser/.bash_profile: Permission denied
> >>>> -bash-3.1$
> >>>>
> >>>> Please give what should i have to do.
> >>>>
> >>>> Thanks,
> >>>> Prakash.
> >>>>
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------
> >>>>
> >>>> --
> >>>> fedora-selinux-list mailing list
> >>>> fedora-selinux-list@redhat.com
> >>>>
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > Which OS and Version.
> >
> > Depending on the policy you might need to relabe the homedir
> to get the
> > labels correct.
> >
> > restorecon -R -v /home
> >
> >>
>
> >
> ------------------------------------------------------------------------
>
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> Please attach the AVC messages from /var/log/audit/audit.log.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
>
> iEYEARECAAYFAkmoOc0ACgkQrlYvE4MpobNI/QCeOM9/9g9s3qIEb/b
> +w5gdGF3e
> VxYAnROI42+yd2xSycJJPqEVjovwMuVA
> =zXsG
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-02-2009, 02:03 PM
Daniel J Walsh
 
Default Fwd: SELinux user login problem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dominick Grift wrote:
> On Sat, 2009-02-28 at 17:05 +0530, prakash hallalli wrote:
>> Hi All,
>>
>> Thanks for replay to me. This is am getting audit messages
>> form /var/log/audit/audit.log.
>>
>> type=AVC msg=audit(1235820249.704:255): avc: denied { rlimitinh }
>> for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1235820249.704:255): avc: denied { noatsecure }
>> for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=SYSCALL msg=audit(1235820249.704:255): arch=c000003e syscall=59
>> success=yes exit=0 a0=402269 a1=7fff186d7030 a2=7fff186d9550 a3=22
>> items=0 ppid=1 pid=4296 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 comm="login" exe="/bin/login"
>> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
>> type=USER_AUTH msg=audit(1235820253.552:256): user pid=4296 uid=0
>> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='PAM: authentication acct="user1" : exe="/bin/login" (hostname=?,
>> addr=?, terminal=tty4 res=success)'
>> type=USER_ACCT msg=audit(1235820253.555:257): user pid=4296 uid=0
>> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='PAM: accounting acct="user1" : exe="/bin/login" (hostname=?,
>> addr=?, terminal=tty4 res=success)'
>> type=LOGIN msg=audit(1235820253.560:258): login pid=4296 uid=0 old
>> auid=4294967295 new auid=527
>> type=USER_ROLE_CHANGE msg=audit(1235820253.567:259): user pid=4296
>> uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='pam: default-context=prakashrakash_rrakash_t:s0
>> selected-context=prakashrakash_rrakash_t:s0:
>> exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)'
>> type=USER_START msg=audit(1235820253.568:260): user pid=4296 uid=0
>> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM:
>> session open acct="user1" : exe="/bin/login" (hostname=?, addr=?,
>> terminal=tty4 res=success)'
>> type=CRED_ACQ msg=audit(1235820253.568:261): user pid=4296 uid=0
>> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM:
>> setcred acct="user1" : exe="/bin/login" (hostname=?, addr=?,
>> terminal=tty4 res=success)'
>> type=USER_LOGIN msg=audit(1235820253.570:262): user pid=4296 uid=0
>> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='uid=527: exe="/bin/login" (hostname=?, addr=?, terminal=tty4
>> res=success)'
>> type=AVC msg=audit(1235820275.060:263): avc: denied { siginh } for
>> pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1235820275.060:263): avc: denied { rlimitinh }
>> for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1235820275.060:263): avc: denied { noatsecure }
>> for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=SYSCALL msg=audit(1235820275.060:263): arch=c000003e syscall=59
>> success=yes exit=0 a0=402269 a1=7fff1bcb84a0 a2=7fff1bcba9c0 a3=22
>> items=0 ppid=1 pid=4132 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="login" exe="/bin/login"
>> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
>>
>> Thanks,
>>
>> Prakah
>
> The issue is that RHEL5 targeted policy is not designed to target user
> domains.
>
> The avc denials that you provided do not give me a clue about what is
> stopping this from working.
>
> It may well be that the denials responsible is hidden.
>
> You can expose hidden denials using :
>
> # semodule -b /usr/share/selinux/targeted/enableaudit.pp
>
> To restore the defaults you would execute:
>
> # semodule -b /usr/share/selinux/targeted/base.pp
>
> After you have exposed the hidden avc denials you may be presented with
> more clues in audit.log as to what is stopping functionality.
>
> But again, the big issue here is that RHEL5 targeted policy is not
> designed to target users.
>
> This functionality does work in Fedora 9 and up.
>
> hth , Dominick
>
>> On Sat, Feb 28, 2009 at 12:36 AM, Daniel J Walsh <dwalsh@redhat.com>
>> wrote:
>>
> prakash hallalli wrote:
>> Hi All,
>
>> I am using CentOS-5 x86_64, I have followed what u
> have sent the
>> steps.
>> But still i am getting same user login problem. I am
> not able to
>> login
>> user properly in system.
>
>> These are i have followed the steps.
>
>> 1. Create a source policy module:-
>
>> #cd /home/prakash
>> #vi prakash.te
>> policy_module(prakash, 0.0.1)
>> role prakash_r;
>> userdom_unpriv_user_template(prakash);
>
>> 2. Build the source policy module:
>
>> #make -f /usr/share/selinux/devel/Makefile
>
>> 3. Install the binary policy module:
>
>> #semodule -i prakash.pp
>
>> 4. Create default contexts for prakash:
>
>> #cd /etc/selinux/targeted/contexts/users
>> #vi prakash
>> system_r:system_local_login_t:s0
> prakash_rrakash_t:s0
>> system_r:remote_login_t:s0
> prakash_rrakash_t:s0
>> system_r:sshd_t:s0
> prakash_rrakash_t:s0
>> system_r:crond_t:s0
> prakash_rrakash_t:s0
>> system_r:xdm_t:s0
> prakash_rrakash_t:s0
>> prakash_rrakash_su_t:s0
> prakash_rrakash_t:s0
>> prakash_rrakash_sudo_t:s0
> prakash_rrakash_t:s0
>> system_r:initrc_su_t:s0
> prakash_rrakash_t:s0
>> prakash_rrakash_t:s0
> prakash_rrakash_t:s0
>
>> 5. Create a SELinux user mapping for prakash:
>
>> #semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user
> prakash
>
>> 6. Add new prakash user for user1:
>
>> #useradd -Z prakash user1
>
>> 7. when i will try to login in the system, will get
> permission denied
>> message.
>
>> gtt login: user1
>> password: XXXXXX
>
>> -bash: /home/user1/.bash_profile: Permission denied
>> -bash-3.1$id
>> uid=524(user1) gid=525(user1) groups=525(user1)
>> context=prakashrakash_rrakash_t
>
>> I tryed to one more user then all so i got same problem.
> I am not sure
>> what i did the mistakes, Please help me what i have to do.
>
>> Thanks,
>> Prakash, k, h.
>
>> On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh
> <dwalsh@redhat.com> wrote:
>
>
>
>> prakash hallalli wrote:
>>>>> Hi All,
>>>>>
>>>>> I have created 'myuser' user and created custom
> module policy
>> for
>>>>> user.
>>>>> I have installed successfully module, but when i
> logging myuser in
>>>>> i will get bash prompt.
>>>>>
>>>>> I have followed as below steps for creating
> module.
>>>>>
>>>>> #vi myuser.te
>>>>> policy_module(myuser, 0.0.1)
>>>>> role myuser_r;
>>>>>
> userdom_unpriv_user_templete(myuser)
>>>>>
>>>>> #make *-f /usr/share/selinux/devel/Makefile
>>>>> #sudo semodule *i myuser.pp
>>>>> #semanage user *a *L s0 *r s0*s0 *L "myuser1_r" *P user
> myuser1
>>>>> #useradd *Z myuser1 myuser1
>>>>>
>>>>> I did all the step when i try login in system following
> error will
>> display.
>>>>> gtt login: myuser
>>>>> password: XXXXXX
>>>>>
>>>>> -bash: /home/myuser/.bash_profile: Permission denied
>>>>> -bash-3.1$
>>>>>
>>>>> Please give what should i have to do.
>>>>>
>>>>> Thanks,
>>>>> Prakash.
>>>>>
>>>>>
>>>>>
>>>>>
> ------------------------------------------------------------------------
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@redhat.com
>>>>>
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Which OS and Version.
>
>> Depending on the policy you might need to relabe the homedir
> to get the
>> labels correct.
>
>> restorecon -R -v /home
>
>
>
>
> ------------------------------------------------------------------------
>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> Please attach the AVC messages from /var/log/audit/audit.log.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Yes if you want to write targeted user protection in RHEL5 you need to
use strict or MLS Policy not targeted.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmr9UUACgkQrlYvE4MpobMkngCfbwrbyLPXWG 4YcuavTpqjKmRn
8HcAoI3VOr9k/DQbsPQXUmlHncGgHWAX
=0Hc+
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 11:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org