New user - Not yet - OK cool

Bob Gustafson bobgus at rcn.com
Tue May 25 06:05:41 UTC 2004 

Richard Hally wrote:
>Bob Gustafson wrote:
>
>> I think I followed your instructions, but got the same result as before.
>> Maybe you can see where I went wrong.
>>
>> This is my 'audit tape'
>>
>> [root at hoho2 init.d]# cd /etc/security/selinux/src/policy
>> [root at hoho2 policy]# ls -l | grep drw
>> drwx------  2 root root    4096 May 22 23:49 appconfig
>> drwx------  4 root root    4096 May 22 23:49 domains
>> drwxr-xr-x  4 root root    4096 May 22 23:50 file_contexts
>> drwx------  2 root root    4096 May 22 23:49 flask
>> drwx------  3 root root    4096 May 22 23:49 macros
>> drwxr-xr-x  2 root root    4096 May 22 23:49 tmp
>> drwx------  2 root root    4096 May 22 23:49 types
>>
>> [root at hoho2 policy]# cd domains/program
>> [root at hoho2 program]# ls -l
>> total 1460
>> ,,,
>> -rw-------  1 root root   349 May 11 10:03 screensaver.te
>> -rw-------  1 root root   357 May 11 10:03 screen.te
>> -rw-------  1 root root  3645 May 11 10:03 sendmail.te
>> -rw-------  1 root root  2093 May 11 10:03 setfiles.te
>> -rw-------  1 root root  1630 May 11 10:03 slapd.te
>> ...
>>
>> Not here - as expected.
>>
>> [root at hoho2 program]#
>>
>> [root at hoho2 program]# ls -l unused
>> total 76
>> -rw-------  1 root root 13362 May 11 10:03 dpkg.te
>> -rw-------  1 root root  1621 May 11 10:03 gatekeeper.te
>> -rw-------  1 root root  7550 May 11 10:03 qmail.te
>> -rw-------  1 root root  5283 May 11 10:03 seuser.te
>> -rw-------  1 root root  1825 May 11 10:03 tinydns.te
>> -rw-------  1 root root  1184 May 11 10:03 uml_net.te
>> -rw-------  1 root root  2021 May 11 10:03 xprint.te
>>
>> Step 1 - mv
>>
>> [root at hoho2 program]# mv unused/seuser.te .
>> [root at hoho2 program]#
>>
>> [root at hoho2 program]# ls -l se*
>> -rw-------  1 root root 3645 May 11 10:03 sendmail.te
>> -rw-------  1 root root 2093 May 11 10:03 setfiles.te
>> -rw-------  1 root root 5283 May 11 10:03 seuser.te
>>
>> Now it is there
>>
>> [root at hoho2 program]#
>>
>>
>> [root at hoho2 program]# cd ..
>> [root at hoho2 domains]# cd ..
>> [root at hoho2 policy]# cd file_contexts
>> [root at hoho2 file_contexts]# ls
>> file_contexts  misc  program  types.fc
>>
>> [root at hoho2 file_contexts]# cd programs
>> bash: cd: programs: No such file or directory
>>
>> [root at hoho2 file_contexts]# cd program
>> [root at hoho2 program]# pwd
>> /etc/security/selinux/src/policy/file_contexts/program
>>
>> [root at hoho2 program]# vim seuser.fc
>>
>> Step 2 - edit
>>
>> [root at hoho2 program]# cat seuser.fc
>> # seuser
>> /usr/bin/seuser system_u:object_r:seuser_exec_t
>> /usr/share/setools/seuser.conf system_u:object_r:seuser_conf_t
>>
>> [root at hoho2 program]# cd /usr/share/setools
>> [root at hoho2 setools]# ls -l seuser*
>> -rw-r--r--  1 root root 1808 Apr 19 19:50 seuser.conf
>> -rw-r--r--  1 root root 8980 Apr 19 19:50 seuser_help.txt
>> [root at hoho2 setools]#
>>
>> Step 3 - remake and reload
>>
>> [root at hoho2 program]# cd /etc/security/selinux/src/policy
>>
>> [root at hoho2 policy]# make 2>&1 | tee make.out
>> ...
>> ...
>>  > policy.conf.tmp
>> mv policy.conf.tmp policy.conf
>> mkdir -p /etc/security/selinux
>> /usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf
>> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
>> security:  5 users, 7 roles, 1252 types, 1 bools
>> security:  30 classes, 305363 rules
>> /usr/bin/checkpolicy:  policy configuration loaded
>> /usr/bin/checkpolicy:  writing binary representation (version 17) to
>> /etc/security/selinux/policy.17
>> Building file_contexts ...
>> install -m 644 file_contexts/file_contexts
>>/etc/security/selinux/file_contexts
>>
>>
>> [root at hoho2 policy]# make reload 2>&1 | tee reload.out
>> /usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers`
>> touch tmp/load
>> [root at hoho2 policy]#
>>
>> [root at hoho2 setools]# cd /etc/security/selinux
>> [root at hoho2 selinux]# ls -l
>> total 29196
>> -rw-r--r--  1 root root   87206 May 24 20:12 file_contexts
>> -rw-r--r--  1 root root   88310 May 11 10:03 file_contexts.rpmnew
>> -rw-r--r--  1 root root 7383775 May 20 21:37 policy.15.rpmsave
>> -rw-r--r--  1 root root 7385512 May 20 21:37 policy.16.rpmsave
>> -rw-r--r--  1 root root 7434273 May 24 20:12 policy.17
>> -rw-r--r--  1 root root 7409751 May 11 10:03 policy.17.rpmnew
>> drwx------  3 root root    4096 May 11 10:03 src
>> [root at hoho2 selinux]#
>>
>> policy.17 seems to have changed as expected
>>
>> Setp 4 - run restorecon
>>
>> [root at hoho2 policy]# /sbin/restorecon -v /usr/bin/seuser
>> /sbin/restorecon set context
>>/usr/bin/seuser->system_u:object_r:seuser_exec_t
>>
>> [root at hoho2 policy]# /sbin/restorecon -v /usr/share/setools/seuser.conf
>> /sbin/restorecon set context
>> /usr/share/setools/seuser.conf->system_u:object_r:seuser_conf_t
>> [root at hoho2 policy]#
>>
>> Step 5 - test
>>
>> [root at hoho2 policy]# which seuser
>> /usr/bin/seuser
>>
>> [root at hoho2 policy]# date
>> Mon May 24 20:26:29 CDT 2004
>>
>> [root at hoho2 policy]# seuser show users
>> Could not open policy.conf file
>> [root at hoho2 policy]# seuser show
>> Could not open policy.conf file
>>
>> Step 6 - extra information ?
>>
>> [root at hoho2 policy]#
>> [root at hoho2 policy]# ls -l /usr/bin/seuser
>> -rwxr-xr-x  1 root root 106960 Apr 19 19:50 /usr/bin/seuser
>> [root at hoho2 policy]#
>>
>>
>> On Mon, 24 May 2004 17:33:24 -0400, Kerl MacMillan wrote:
>>
>>>>-----Original Message-----
>>>>From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-
>>>>bounces at redhat.com] On Behalf Of Bob Gustafson
>>>>Sent: Monday, May 24, 2004 2:33 PM
>>>>To: t.pitt at eris.qinetiq.com; Fedora SELinux support list for users &
>>>>developers.
>>>>Subject: Re: New user
>>>>
>>>>Some added information
>>>>
>>>>  [root at hoho2 user1]# ls -lZ /etc/security/selinux/src/policy/policy.conf
>>>>-rw-r--r--+ root     root
>>>>  system_u:object_r:policy_src_t
>>>>/etc/security/selinux/src/policy/policy.conf
>>>>
>>>>  [root at hoho2 user1]# cat /proc/version
>>>>  Linux version 2.6.6-1.377smp (bhcompile at tweety.build.redhat.com) (gcc
>>>>version 3.3.3 20040412 (Red Hat
>>>>  Linux 3.3.3-7)) #1 SMP Sat May 22 15:16:37 EDT 2004
>>>>
>>>>  [root at hoho2 user1]# which seuser
>>>>  /usr/bin/seuser
>>>>
>>>>  [root at hoho2 user1]# ls -lZ /usr/bin/seuser -rwxr-xr-x+ root     root
>>>>system_u:object_r:bin_t
>>>>  /usr/bin/seuser
>>>>  [root at hoho2 user1]#
>>>>
>>>
>>>This is part of the problem - seuser runs in its own domain so the binary
>>>needs to be labeled seuser_exec_t. Unfortunately it looks like seuser is
>>>quite broken on FC2. You can fix it by:
>>>
>>>1) mv /etc/security/selinux/src/policy/domains/program/unused/seuser.te to
>>>etc/security/selinux/src/policy/domains/program/seuser.te.
>>>
>>>2) edit /etc/security/selinux/src/policy/file_contexts/programs/seuser.fc
>>>changing "/usr/apol/seuser.conf" to "/usr/share/setools/seuser.conf".
>>>
>>>3) remake and reload the policy.
>>>
>>>4) run restorecon on /usr/bin/seuser and /usr/share/setools/seuser.conf
>>>
>>>This should make seuser behave properly. I'm not certain what is going on
>>>with the outdated fc file - we currently generate that file in our
>>>distribution of setools, but had been accidentally included an outdated
>>>version with the source. Probably someone just copied that old file
>>>(understandably). Hopefully we can get some of these fixes pushed out as an
>>>update - is the appropriate process to enter a bugzilla case with a patch?
>>>
>>>Karl
>>>
>>>Karl MacMillan
>>>Tresys Technology
>>>http://www.tresys.com
>>>(410)290-1411 ext 134
>>>
>>>
>>>>------- previously sent a minute or so ago --
>>>>
>>>>You are further along ..
>>>>
>>>>I get
>>>>
>>>>  [root at hoho2 user1]# date
>>>>  Mon May 24 13:16:52 CDT 2004
>>>>  [root at hoho2 user1]# seuser show users
>>>>  Could not open policy.conf file
>>>>  [root at hoho2 user1]#
>>>>
>>>>I have FC2 installed clean with all updates (incl development) to this
>>>>moment (except for ppp - which is having a problem independent of
>>>>selinux).
>>>>
>>>>Booting with kernel boot parame 'selinux=1 enforcing=0' (not enforce=0..)
>>>>The boot was done just after a run of '/sbin/fixfiles relabel' at init
>>>>level 1.
>>>>
>>>>BobG
>>>>
>>>>
>>>>On Mon, 24 May 2004 16:13:48 +0100, Anthony Pitt wrote:
>>>>
>>>>>Hi there,
>>>>>	I hope you can help. I've just installed 'Fedora COre2', with
>>>>
>>>>Selinux
>>>>
>>>>>enabled.
>>>>>Using 'seuser' I created a new 'defined' selinux user, with user_r role
>>>>>only. I also created the users /home/* directory under the same process.
>>>>>I'm using the 'gnome' window manager interface.
>>>>>Now when I try to log on with this new user, I get all sorts of errors to
>>>>>do with the users environment, eventually allowing me a blank interface,
>>>>>with 'right-click' functionality only.
>>>>>Any ideas?
>>>>>Tony.
>>>>>
>>>>>----------------------------------------------------------------------
>>>>>A D Pitt                            Ph:+44(0)1684 895757
>>>>>Rm B006 Woodward Building           Fax:+44(0)1684 896660
>>>>>QinetiQ
>>>
>>>email:t.pitt at eris.qinetiq.com
>>>
>>>>>Malvern Technology Centre,
>>>>>St Andrews Road
>>>>>Malvern
>>>>>Worcs.
>>>>>WR14 3PS
>>>>>
>>>>>URL:http://www.qinetiq.com/home_enterprise_security.html
>>>>>--
>>>>>fedora-selinux-list mailing list
>>>>>fedora-selinux-list at redhat.com
>>>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>>--
>>>>fedora-selinux-list mailing list
>>>>fedora-selinux-list at redhat.com
>>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>--
>>>fedora-selinux-list mailing list
>>>fedora-selinux-list at redhat.com
>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>I found one more step to be done. You need to edit
>/usr/share/setools/seuser.conf and change the line for policy.conf to
>/etc/security/selinux/src/policy/policy.conf
>
>i.e adding the /policy/ after src
>HTH
>Richard Hally
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list


OK, cool - that did it. (wasn't this an old bug?)

[root at hoho2 setools]# vim seuser.conf
[root at hoho2 setools]# date
Tue May 25 00:58:56 CDT 2004
[root at hoho2 setools]# seuser show users

system_u: system_r
user_u: user_r sysadm_r system_r
root: staff_r sysadm_r system_r
cyrus: cyrus_r
mailman: mailman_r


[root at hoho2 setools]#

More information about the fedora-selinux-list mailing list