Linux Archive - Policy for authenticating domain users

Linux Archive

Linux Archive (http://www.linux-archive.org/)

- Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)

- - Policy for authenticating domain users (http://www.linux-archive.org/fedora-selinux-support/326565-policy-authenticating-domain-users.html)

"Scott Salley"

02-15-2010 05:27 PM

Policy for authenticating domain users

Iâ€™m working on a set of patches to integrate Likewise
Open (Active Directory authentication for Unix/Linux/Mac) into Fedora/SELinux.

Â*

I am having trouble defining how a userâ€™s home
directory should be handled.

Â*

We donâ€™t place users directly in /home as the domain
user account name may conflict with an existing account. Instead, we use
/home/%D/%UÂ* where %D is the domain and %U is the user account.Â* (We
may have users with the same account name in different domains.)

Â*

I want to make sure that if users are joined while SELinux
is not enabled, and then SELinux is re-enabled, the files get the proper
contexts.

Â*

Suggestions?

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift

02-15-2010 06:27 PM

Policy for authenticating domain users

On 02/15/2010 07:27 PM, Scott Salley wrote:
> I'm working on a set of patches to integrate Likewise Open (Active
> Directory authentication for Unix/Linux/Mac) into Fedora/SELinux.
>
>
>
> I am having trouble defining how a user's home directory should be
> handled.
>
>
>
> We don't place users directly in /home as the domain user account name
> may conflict with an existing account. Instead, we use /home/%D/%U
> where %D is the domain and %U is the user account. (We may have users
> with the same account name in different domains.)
>
>
>
> I want to make sure that if users are joined while SELinux is not
> enabled, and then SELinux is re-enabled, the files get the proper
> contexts.
>
>
>
> Suggestions?

I think that is problematic because of this file context specification
in /etc/selinux/targeted/contexts/files/file_contexts.homedirs:

/home/[^/]*/.+ guest_u:object_r:user_home_t:s0

That basically says label everything below /home/*/ with type
user_home_t i believe.

/home/[^/]* -d guest_u:object_r:user_home_dir_t:s0

This says label all directories below /home type user_home_dir_t i believe.

You want /home/domain and /home/domain/* user_home_dir_t i believe.

I think that would conflict with the current specification: i.e. should
it label /home/*/* user_home_t or user_home_dir_t?

If and when that imo fundamental issue is resolved it is just a matter
of cloning the entries from
/etc/selinux/targeted/contexts/files/file_contexts.homedirs i believe.

I will be interested what others opinion is on this matter as i might be
wrong.

>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh

02-16-2010 04:11 PM

Policy for authenticating domain users

On 02/15/2010 01:27 PM, Scott Salley wrote:
> I'm working on a set of patches to integrate Likewise Open (Active
> Directory authentication for Unix/Linux/Mac) into Fedora/SELinux.
>
>
>
> I am having trouble defining how a user's home directory should be
> handled.
>
>
>
> We don't place users directly in /home as the domain user account name
> may conflict with an existing account. Instead, we use /home/%D/%U
> where %D is the domain and %U is the user account. (We may have users
> with the same account name in different domains.)
>
>
>
> I want to make sure that if users are joined while SELinux is not
> enabled, and then SELinux is re-enabled, the files get the proper
> contexts.
>
>
>
> Suggestions?
>
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Do you know the name of all domains?

In Fedora 12

for d in $DOMAINS; do
semanage fcontext -a -e /home /home/$d
done

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

"Scott Salley"

02-18-2010 08:43 PM

Policy for authenticating domain users

> On 02/15/2010 01:27 PM, Scott Salley wrote:
>> I'm working on a set of patches to integrate Likewise Open (Active
>> Directory authentication for Unix/Linux/Mac) into Fedora/SELinux.
>>
>> I am having trouble defining how a user's home directory should be
>> handled.
>>
>> We don't place users directly in /home as the domain user account
name
>> may conflict with an existing account. Instead, we use /home/%D/%U
>> where %D is the domain and %U is the user account. (We may have
users
>> with the same account name in different domains.)
>>
>> I want to make sure that if users are joined while SELinux is not
>> enabled, and then SELinux is re-enabled, the files get the proper
>> contexts.

> Do you know the name of all domains?
>
> In Fedora 12
>
> for d in $DOMAINS; do
> semanage fcontext -a -e /home /home/$d
> done

I don't know the names of all the domains ahead of time, but I can call
semanage with those arguments as we set up a user's environment. I
already tried running semanage twice with the same arguments for adding
the equivalence and it correctly errors out.

I've now run into this message:

type=AVC msg=audit(1266523695.550:22225): avc: denied { relabelto }
for pid=3158 comm="lsassd" name="CORPQA" dev=dm-0 ino=195681
scontext=unconfined_u:system_r:lsassd_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1266523695.550:22225): arch=c000003e syscall=188
success=yes exit=0 a0=7fab640399f0 a1=3ea9415649 a2=7fab64027990 a3=21
items=0 ppid=2790 pid=3158 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lsassd"
exe="/usr/sbin/lsassd" subj=unconfined_u:system_r:lsassd_t:s0 key=(null)

which does not go away with the addition of this rule:

allow lsassd_t home_root_t:dir relabelto;

Is there something special for 'relabelto' or 'home_root_t' that I'm not
aware of? (I'm trying to create /home/DOMAIN and apply the appropriate
label on /home/DOMAIN via matchpathcon/setfilecon).

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh

02-18-2010 08:59 PM

Policy for authenticating domain users

On 02/18/2010 04:43 PM, Scott Salley wrote:
> for pid=3158 comm="lsassd" name="CORPQA" dev=dm-0 ino=195681
> scontext=unconfined_u:system_r:lsassd_t:s0
> tcontext=system_u:object_r:home_root_t:s0 tclass=dir
> type=SYSCALL msg=audit(1266523695.550:22225): arch=c000003e syscall=188
> success=yes exit=0 a0=7fab640399f0 a1=3ea9415649 a2=7fab64027990 a3=21
> items=0 ppid=2790 pid=3158 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lsassd"
> exe="/usr/sbin/lsassd" subj=unconfined_u:system_r:lsassd_t:s0 key=(null)
>
Run the avc through audit2why
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

All times are GMT. The time now is 10:45 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.