Fwd: SELinux user login problem
Dominick Grift
domg472 at gmail.com
Sat Feb 28 13:54:43 UTC 2009
On Sat, 2009-02-28 at 17:05 +0530, prakash hallalli wrote:
> Hi All,
>
> Thanks for replay to me. This is am getting audit messages
> form /var/log/audit/audit.log.
>
> type=AVC msg=audit(1235820249.704:255): avc: denied { rlimitinh }
> for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1235820249.704:255): avc: denied { noatsecure }
> for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1235820249.704:255): arch=c000003e syscall=59
> success=yes exit=0 a0=402269 a1=7fff186d7030 a2=7fff186d9550 a3=22
> items=0 ppid=1 pid=4296 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 comm="login" exe="/bin/login"
> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
> type=USER_AUTH msg=audit(1235820253.552:256): user pid=4296 uid=0
> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='PAM: authentication acct="user1" : exe="/bin/login" (hostname=?,
> addr=?, terminal=tty4 res=success)'
> type=USER_ACCT msg=audit(1235820253.555:257): user pid=4296 uid=0
> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='PAM: accounting acct="user1" : exe="/bin/login" (hostname=?,
> addr=?, terminal=tty4 res=success)'
> type=LOGIN msg=audit(1235820253.560:258): login pid=4296 uid=0 old
> auid=4294967295 new auid=527
> type=USER_ROLE_CHANGE msg=audit(1235820253.567:259): user pid=4296
> uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='pam: default-context=prakash:prakash_r:prakash_t:s0
> selected-context=prakash:prakash_r:prakash_t:s0:
> exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)'
> type=USER_START msg=audit(1235820253.568:260): user pid=4296 uid=0
> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM:
> session open acct="user1" : exe="/bin/login" (hostname=?, addr=?,
> terminal=tty4 res=success)'
> type=CRED_ACQ msg=audit(1235820253.568:261): user pid=4296 uid=0
> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM:
> setcred acct="user1" : exe="/bin/login" (hostname=?, addr=?,
> terminal=tty4 res=success)'
> type=USER_LOGIN msg=audit(1235820253.570:262): user pid=4296 uid=0
> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='uid=527: exe="/bin/login" (hostname=?, addr=?, terminal=tty4
> res=success)'
> type=AVC msg=audit(1235820275.060:263): avc: denied { siginh } for
> pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1235820275.060:263): avc: denied { rlimitinh }
> for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1235820275.060:263): avc: denied { noatsecure }
> for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1235820275.060:263): arch=c000003e syscall=59
> success=yes exit=0 a0=402269 a1=7fff1bcb84a0 a2=7fff1bcba9c0 a3=22
> items=0 ppid=1 pid=4132 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="login" exe="/bin/login"
> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
>
> Thanks,
>
> Prakah
The issue is that RHEL5 targeted policy is not designed to target user
domains.
The avc denials that you provided do not give me a clue about what is
stopping this from working.
It may well be that the denials responsible is hidden.
You can expose hidden denials using :
# semodule -b /usr/share/selinux/targeted/enableaudit.pp
To restore the defaults you would execute:
# semodule -b /usr/share/selinux/targeted/base.pp
After you have exposed the hidden avc denials you may be presented with
more clues in audit.log as to what is stopping functionality.
But again, the big issue here is that RHEL5 targeted policy is not
designed to target users.
This functionality does work in Fedora 9 and up.
hth , Dominick
> On Sat, Feb 28, 2009 at 12:36 AM, Daniel J Walsh <dwalsh at redhat.com>
> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> prakash hallalli wrote:
> > Hi All,
> >
> > I am using CentOS-5 x86_64, I have followed what u
> have sent the
> > steps.
> > But still i am getting same user login problem. I am
> not able to
> > login
> > user properly in system.
> >
> > These are i have followed the steps.
> >
> > 1. Create a source policy module:-
> >
> > #cd /home/prakash
> > #vi prakash.te
> > policy_module(prakash, 0.0.1)
> > role prakash_r;
> > userdom_unpriv_user_template(prakash);
> >
> > 2. Build the source policy module:
> >
> > #make -f /usr/share/selinux/devel/Makefile
> >
> > 3. Install the binary policy module:
> >
> > #semodule -i prakash.pp
> >
> > 4. Create default contexts for prakash:
> >
> > #cd /etc/selinux/targeted/contexts/users
> > #vi prakash
> > system_r:system_local_login_t:s0
> prakash_r:prakash_t:s0
> > system_r:remote_login_t:s0
> prakash_r:prakash_t:s0
> > system_r:sshd_t:s0
> prakash_r:prakash_t:s0
> > system_r:crond_t:s0
> prakash_r:prakash_t:s0
> > system_r:xdm_t:s0
> prakash_r:prakash_t:s0
> > prakash_r:prakash_su_t:s0
> prakash_r:prakash_t:s0
> > prakash_r:prakash_sudo_t:s0
> prakash_r:prakash_t:s0
> > system_r:initrc_su_t:s0
> prakash_r:prakash_t:s0
> > prakash_r:prakash_t:s0
> prakash_r:prakash_t:s0
> >
> > 5. Create a SELinux user mapping for prakash:
> >
> > #semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user
> prakash
> >
> > 6. Add new prakash user for user1:
> >
> > #useradd -Z prakash user1
> >
> > 7. when i will try to login in the system, will get
> permission denied
> > message.
> >
> > gtt login: user1
> > password: XXXXXX
> >
> > -bash: /home/user1/.bash_profile: Permission denied
> > -bash-3.1$id
> > uid=524(user1) gid=525(user1) groups=525(user1)
> > context=prakash:prakash_r:prakash_t
> >
> > I tryed to one more user then all so i got same problem.
> I am not sure
> > what i did the mistakes, Please help me what i have to do.
> >
> > Thanks,
> > Prakash, k, h.
> >
> > On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh
> <dwalsh at redhat.com> wrote:
> >
>
>
> > prakash hallalli wrote:
> >>>> Hi All,
> >>>>
> >>>> I have created 'myuser' user and created custom
> module policy
> > for
> >>>> user.
> >>>> I have installed successfully module, but when i
> logging myuser in
> >>>> i will get bash prompt.
> >>>>
> >>>> I have followed as below steps for creating
> module.
> >>>>
> >>>> #vi myuser.te
> >>>> policy_module(myuser, 0.0.1)
> >>>> role myuser_r;
> >>>>
> userdom_unpriv_user_templete(myuser)
> >>>>
> >>>> #make -f /usr/share/selinux/devel/Makefile
> >>>> #sudo semodule i myuser.pp
> >>>> #semanage user a L s0 r s0s0 L "myuser1_r" P user
> myuser1
> >>>> #useradd Z myuser1 myuser1
> >>>>
> >>>> I did all the step when i try login in system following
> error will
> > display.
> >>>> gtt login: myuser
> >>>> password: XXXXXX
> >>>>
> >>>> -bash: /home/myuser/.bash_profile: Permission denied
> >>>> -bash-3.1$
> >>>>
> >>>> Please give what should i have to do.
> >>>>
> >>>> Thanks,
> >>>> Prakash.
> >>>>
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------
> >>>>
> >>>> --
> >>>> fedora-selinux-list mailing list
> >>>> fedora-selinux-list at redhat.com
> >>>>
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > Which OS and Version.
> >
> > Depending on the policy you might need to relabe the homedir
> to get the
> > labels correct.
> >
> > restorecon -R -v /home
> >
> >>
>
> >
> ------------------------------------------------------------------------
>
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> Please attach the AVC messages from /var/log/audit/audit.log.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
>
> iEYEARECAAYFAkmoOc0ACgkQrlYvE4MpobNI/QCeOM9/9g9s3qIEb/b
> +w5gdGF3e
> VxYAnROI42+yd2xSycJJPqEVjovwMuVA
> =zXsG
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list