FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-08-2010, 12:24 AM
KaiGai Kohei
 
Default Steps to login with non-traditional selinux roles

I'm trying to set up a certain user to login with non-traditional
selinux roles (such as dbadm_u), but it does not work well.
Am I missing something?


[root@saba ~]# rpm -q selinux-policy
selinux-policy-3.7.15-4.fc13.noarch

[root@saba ~]# semanage user -a -R webadm_r webadm_u
[root@saba ~]# semanage user -l

Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles

guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
webadm_u user s0 s0 webadm_r
xguest_u user s0 s0 xguest_r

[root@saba ~]# semanage login -a -s webadm_u ymj
[root@saba ~]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
ymj webadm_u s0

[root@saba ~]# cd /etc/selinux/targeted/contexts/users/
[root@saba users]# cat user_u | sed 's/user_/webadm_/g' > webadm_u
[root@saba users]# cat webadm_u
system_r:local_login_t:s0 webadm_r:webadm_t:s0
system_r:remote_login_t:s0 webadm_r:webadm_t:s0
system_r:sshd_t:s0 webadm_r:webadm_t:s0
system_r:crond_t:s0 webadm_r:webadm_t:s0
system_r:xdm_t:s0 webadm_r:webadm_t:s0
webadm_r:webadm_su_t:s0 webadm_r:webadm_t:s0
webadm_r:webadm_sudo_t:s0 webadm_r:webadm_t:s0
system_r:initrc_su_t:s0 webadm_r:webadm_t:s0
webadm_r:webadm_t:s0 webadm_r:webadm_t:s0

[root@saba users]# ssh ymj@localhost
ymj@localhost's password:
Last login: Thu Apr 8 09:12:43 2010 from localhost
Connection to localhost closed.

[root@saba users]# setenforce 0
[root@saba users]# ssh ymj@localhost
ymj@localhost's password:
Last login: Thu Apr 8 09:12:56 2010 from localhost
[ymj@saba ~]$ id -Z
system_u:system_r:unconfined_t:s0-s0:c0.c1023


With "semanage -BD", I could find the following avc denial audit logs
during above command execution, but it does not seem to me these
violations prevent ymj's login directly.

type=AVC msg=audit(1270685681.731:24535): avc: denied { rlimitinh } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.731:24535): avc: denied { siginh } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.731:24535): avc: denied { noatsecure } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc: denied { rlimitinh } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc: denied { siginh } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc: denied { noatsecure } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.770:24544): avc: denied { siginh } for pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.770:24544): avc: denied { noatsecure } for pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.925:24545): avc: denied { write } for pid=17259 comm="setroubleshootd" name="rpm" dev=sda3 ino=180226 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1270685681.926:24546): avc: denied { write } for pid=17259 comm="setroubleshootd" name="__db.001" dev=sda3 ino=180240 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_ubject_r:rpm_var_lib_t:s0 tclass=file

I guess pam_selinux.so kills the connection due to lack of something to be
configured in enforcing mode.

Do you have any suggestion?
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 07:52 AM
Dominick Grift
 
Default Steps to login with non-traditional selinux roles

On Thu, Apr 08, 2010 at 09:24:28AM +0900, KaiGai Kohei wrote:
> I'm trying to set up a certain user to login with non-traditional
> selinux roles (such as dbadm_u), but it does not work well.
> Am I missing something?

Webadm_r is a secondary privileged user domain not a login user domain.

Thus you can only access it via a login user domain that is allowed to role transition to webadm_r:


semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r webadm_r system_r unconfined_r sysadm_r" -P user staff_u
useradd -Z staff_u joe
echo joe ALL=(ALL) TYPE=webadm_t ROLE=webadm_r ALL" >> /etc/sudoers
passwd joe

< ..login as joe...>

sudo service httpd restart
sudo -s

There are some fundamental differences between dbadm and webadm.

The dbadm is a login user domain and webadm is not.
staff_r is not allowed to transition to dbadm_r currently


>
>
> [root@saba ~]# rpm -q selinux-policy
> selinux-policy-3.7.15-4.fc13.noarch
>
> [root@saba ~]# semanage user -a -R webadm_r webadm_u
> [root@saba ~]# semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range SELinux Roles
>
> guest_u user s0 s0 guest_r
> root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
> staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
> sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
> system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
> unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
> user_u user s0 s0 user_r
> webadm_u user s0 s0 webadm_r
> xguest_u user s0 s0 xguest_r
>
> [root@saba ~]# semanage login -a -s webadm_u ymj
> [root@saba ~]# semanage login -l
>
> Login Name SELinux User MLS/MCS Range
>
> __default__ unconfined_u s0-s0:c0.c1023
> root unconfined_u s0-s0:c0.c1023
> system_u system_u s0-s0:c0.c1023
> ymj webadm_u s0
>
> [root@saba ~]# cd /etc/selinux/targeted/contexts/users/
> [root@saba users]# cat user_u | sed 's/user_/webadm_/g' > webadm_u
> [root@saba users]# cat webadm_u
> system_r:local_login_t:s0 webadm_r:webadm_t:s0
> system_r:remote_login_t:s0 webadm_r:webadm_t:s0
> system_r:sshd_t:s0 webadm_r:webadm_t:s0
> system_r:crond_t:s0 webadm_r:webadm_t:s0
> system_r:xdm_t:s0 webadm_r:webadm_t:s0
> webadm_r:webadm_su_t:s0 webadm_r:webadm_t:s0
> webadm_r:webadm_sudo_t:s0 webadm_r:webadm_t:s0
> system_r:initrc_su_t:s0 webadm_r:webadm_t:s0
> webadm_r:webadm_t:s0 webadm_r:webadm_t:s0
>
> [root@saba users]# ssh ymj@localhost
> ymj@localhost's password:
> Last login: Thu Apr 8 09:12:43 2010 from localhost
> Connection to localhost closed.
>
> [root@saba users]# setenforce 0
> [root@saba users]# ssh ymj@localhost
> ymj@localhost's password:
> Last login: Thu Apr 8 09:12:56 2010 from localhost
> [ymj@saba ~]$ id -Z
> system_u:system_r:unconfined_t:s0-s0:c0.c1023
>
>
> With "semanage -BD", I could find the following avc denial audit logs
> during above command execution, but it does not seem to me these
> violations prevent ymj's login directly.
>
> type=AVC msg=audit(1270685681.731:24535): avc: denied { rlimitinh } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.731:24535): avc: denied { siginh } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.731:24535): avc: denied { noatsecure } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.748:24537): avc: denied { rlimitinh } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.748:24537): avc: denied { siginh } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.748:24537): avc: denied { noatsecure } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.770:24544): avc: denied { siginh } for pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.770:24544): avc: denied { noatsecure } for pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1270685681.925:24545): avc: denied { write } for pid=17259 comm="setroubleshootd" name="rpm" dev=sda3 ino=180226 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:rpm_var_lib_t:s0 tclass=dir
> type=AVC msg=audit(1270685681.926:24546): avc: denied { write } for pid=17259 comm="setroubleshootd" name="__db.001" dev=sda3 ino=180240 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_ubject_r:rpm_var_lib_t:s0 tclass=file
>
> I guess pam_selinux.so kills the connection due to lack of something to be
> configured in enforcing mode.
>
> Do you have any suggestion?
> --
> KaiGai Kohei <kaigai@ak.jp.nec.com>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-09-2010, 01:33 AM
KaiGai Kohei
 
Default Steps to login with non-traditional selinux roles

(2010/04/08 16:52), Dominick Grift wrote:
> On Thu, Apr 08, 2010 at 09:24:28AM +0900, KaiGai Kohei wrote:
>> I'm trying to set up a certain user to login with non-traditional
>> selinux roles (such as dbadm_u), but it does not work well.
>> Am I missing something?
>
> Webadm_r is a secondary privileged user domain not a login user domain.
>
> Thus you can only access it via a login user domain that is allowed to
> role transition to webadm_r:

Ahh, indeed, webadm uses userdom_base_user_template() template.

> semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r webadm_r system_r unconfined_r sysadm_r" -P user staff_u
> useradd -Z staff_u joe
> echo joe ALL=(ALL) TYPE=webadm_t ROLE=webadm_r ALL">> /etc/sudoers
> passwd joe
>
> < ..login as joe...>
>
> sudo service httpd restart
> sudo -s
>
> There are some fundamental differences between dbadm and webadm.
>
> The dbadm is a login user domain and webadm is not.
> staff_r is not allowed to transition to dbadm_r currently

Hmm. it seems to me I misunderstood direction of the design for
*adm roles. I also think the suggested one is better than that
'joe' always performs in webadm_r role.

So, I'll try to revise the policy of dbadm role.

>> [root@saba ~]# rpm -q selinux-policy
>> selinux-policy-3.7.15-4.fc13.noarch
>>
>> [root@saba ~]# semanage user -a -R webadm_r webadm_u
>> [root@saba ~]# semanage user -l
>>
>> Labeling MLS/ MLS/
>> SELinux User Prefix MCS Level MCS Range SELinux Roles
>>
>> guest_u user s0 s0 guest_r
>> root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
>> staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
>> sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
>> system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
>> unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
>> user_u user s0 s0 user_r
>> webadm_u user s0 s0 webadm_r
>> xguest_u user s0 s0 xguest_r
>>
>> [root@saba ~]# semanage login -a -s webadm_u ymj
>> [root@saba ~]# semanage login -l
>>
>> Login Name SELinux User MLS/MCS Range
>>
>> __default__ unconfined_u s0-s0:c0.c1023
>> root unconfined_u s0-s0:c0.c1023
>> system_u system_u s0-s0:c0.c1023
>> ymj webadm_u s0
>>
>> [root@saba ~]# cd /etc/selinux/targeted/contexts/users/
>> [root@saba users]# cat user_u | sed 's/user_/webadm_/g'> webadm_u
>> [root@saba users]# cat webadm_u
>> system_r:local_login_t:s0 webadm_r:webadm_t:s0
>> system_r:remote_login_t:s0 webadm_r:webadm_t:s0
>> system_r:sshd_t:s0 webadm_r:webadm_t:s0
>> system_r:crond_t:s0 webadm_r:webadm_t:s0
>> system_r:xdm_t:s0 webadm_r:webadm_t:s0
>> webadm_r:webadm_su_t:s0 webadm_r:webadm_t:s0
>> webadm_r:webadm_sudo_t:s0 webadm_r:webadm_t:s0
>> system_r:initrc_su_t:s0 webadm_r:webadm_t:s0
>> webadm_r:webadm_t:s0 webadm_r:webadm_t:s0
>>
>> [root@saba users]# ssh ymj@localhost
>> ymj@localhost's password:
>> Last login: Thu Apr 8 09:12:43 2010 from localhost
>> Connection to localhost closed.
>>
>> [root@saba users]# setenforce 0
>> [root@saba users]# ssh ymj@localhost
>> ymj@localhost's password:
>> Last login: Thu Apr 8 09:12:56 2010 from localhost
>> [ymj@saba ~]$ id -Z
>> system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>
>>
>> With "semanage -BD", I could find the following avc denial audit logs
>> during above command execution, but it does not seem to me these
>> violations prevent ymj's login directly.
>>
>> type=AVC msg=audit(1270685681.731:24535): avc: denied { rlimitinh } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.731:24535): avc: denied { siginh } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.731:24535): avc: denied { noatsecure } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.748:24537): avc: denied { rlimitinh } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.748:24537): avc: denied { siginh } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.748:24537): avc: denied { noatsecure } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.770:24544): avc: denied { siginh } for pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.770:24544): avc: denied { noatsecure } for pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1270685681.925:24545): avc: denied { write } for pid=17259 comm="setroubleshootd" name="rpm" dev=sda3 ino=180226 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:rpm_var_lib_t:s0 tclass=dir
>> type=AVC msg=audit(1270685681.926:24546): avc: denied { write } for pid=17259 comm="setroubleshootd" name="__db.001" dev=sda3 ino=180240 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_ubject_r:rpm_var_lib_t:s0 tclass=file
>>
>> I guess pam_selinux.so kills the connection due to lack of something to be
>> configured in enforcing mode.
>>
>> Do you have any suggestion?
>> --
>> KaiGai Kohei<kaigai@ak.jp.nec.com>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 11:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org