New user - Not yet

Bob Gustafson bobgus at rcn.com
Tue May 25 02:05:14 UTC 2004 

I think I followed your instructions, but got the same result as before.
Maybe you can see where I went wrong.

This is my 'audit tape'

[root at hoho2 init.d]# cd /etc/security/selinux/src/policy
[root at hoho2 policy]# ls -l | grep drw
drwx------  2 root root    4096 May 22 23:49 appconfig
drwx------  4 root root    4096 May 22 23:49 domains
drwxr-xr-x  4 root root    4096 May 22 23:50 file_contexts
drwx------  2 root root    4096 May 22 23:49 flask
drwx------  3 root root    4096 May 22 23:49 macros
drwxr-xr-x  2 root root    4096 May 22 23:49 tmp
drwx------  2 root root    4096 May 22 23:49 types

[root at hoho2 policy]# cd domains/program
[root at hoho2 program]# ls -l
total 1460
,,,
-rw-------  1 root root   349 May 11 10:03 screensaver.te
-rw-------  1 root root   357 May 11 10:03 screen.te
-rw-------  1 root root  3645 May 11 10:03 sendmail.te
-rw-------  1 root root  2093 May 11 10:03 setfiles.te
-rw-------  1 root root  1630 May 11 10:03 slapd.te
...

Not here - as expected.

[root at hoho2 program]#

[root at hoho2 program]# ls -l unused
total 76
-rw-------  1 root root 13362 May 11 10:03 dpkg.te
-rw-------  1 root root  1621 May 11 10:03 gatekeeper.te
-rw-------  1 root root  7550 May 11 10:03 qmail.te
-rw-------  1 root root  5283 May 11 10:03 seuser.te
-rw-------  1 root root  1825 May 11 10:03 tinydns.te
-rw-------  1 root root  1184 May 11 10:03 uml_net.te
-rw-------  1 root root  2021 May 11 10:03 xprint.te

Step 1 - mv

[root at hoho2 program]# mv unused/seuser.te .
[root at hoho2 program]#

[root at hoho2 program]# ls -l se*
-rw-------  1 root root 3645 May 11 10:03 sendmail.te
-rw-------  1 root root 2093 May 11 10:03 setfiles.te
-rw-------  1 root root 5283 May 11 10:03 seuser.te

Now it is there

[root at hoho2 program]#


[root at hoho2 program]# cd ..
[root at hoho2 domains]# cd ..
[root at hoho2 policy]# cd file_contexts
[root at hoho2 file_contexts]# ls
file_contexts  misc  program  types.fc

[root at hoho2 file_contexts]# cd programs
bash: cd: programs: No such file or directory

[root at hoho2 file_contexts]# cd program
[root at hoho2 program]# pwd
/etc/security/selinux/src/policy/file_contexts/program

[root at hoho2 program]# vim seuser.fc

Step 2 - edit

[root at hoho2 program]# cat seuser.fc
# seuser
/usr/bin/seuser system_u:object_r:seuser_exec_t
/usr/share/setools/seuser.conf system_u:object_r:seuser_conf_t

[root at hoho2 program]# cd /usr/share/setools
[root at hoho2 setools]# ls -l seuser*
-rw-r--r--  1 root root 1808 Apr 19 19:50 seuser.conf
-rw-r--r--  1 root root 8980 Apr 19 19:50 seuser_help.txt
[root at hoho2 setools]#

Step 3 - remake and reload

[root at hoho2 program]# cd /etc/security/selinux/src/policy

[root at hoho2 policy]# make 2>&1 | tee make.out
...
...
 > policy.conf.tmp
mv policy.conf.tmp policy.conf
mkdir -p /etc/security/selinux
/usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
security:  5 users, 7 roles, 1252 types, 1 bools
security:  30 classes, 305363 rules
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 17) to
/etc/security/selinux/policy.17
Building file_contexts ...
install -m 644 file_contexts/file_contexts /etc/security/selinux/file_contexts


[root at hoho2 policy]# make reload 2>&1 | tee reload.out
/usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers`
touch tmp/load
[root at hoho2 policy]#

[root at hoho2 setools]# cd /etc/security/selinux
[root at hoho2 selinux]# ls -l
total 29196
-rw-r--r--  1 root root   87206 May 24 20:12 file_contexts
-rw-r--r--  1 root root   88310 May 11 10:03 file_contexts.rpmnew
-rw-r--r--  1 root root 7383775 May 20 21:37 policy.15.rpmsave
-rw-r--r--  1 root root 7385512 May 20 21:37 policy.16.rpmsave
-rw-r--r--  1 root root 7434273 May 24 20:12 policy.17
-rw-r--r--  1 root root 7409751 May 11 10:03 policy.17.rpmnew
drwx------  3 root root    4096 May 11 10:03 src
[root at hoho2 selinux]#

policy.17 seems to have changed as expected

Setp 4 - run restorecon

[root at hoho2 policy]# /sbin/restorecon -v /usr/bin/seuser
/sbin/restorecon set context /usr/bin/seuser->system_u:object_r:seuser_exec_t

[root at hoho2 policy]# /sbin/restorecon -v /usr/share/setools/seuser.conf
/sbin/restorecon set context
/usr/share/setools/seuser.conf->system_u:object_r:seuser_conf_t
[root at hoho2 policy]#

Step 5 - test

[root at hoho2 policy]# which seuser
/usr/bin/seuser

[root at hoho2 policy]# date
Mon May 24 20:26:29 CDT 2004

[root at hoho2 policy]# seuser show users
Could not open policy.conf file
[root at hoho2 policy]# seuser show
Could not open policy.conf file

Step 6 - extra information ?

[root at hoho2 policy]#
[root at hoho2 policy]# ls -l /usr/bin/seuser
-rwxr-xr-x  1 root root 106960 Apr 19 19:50 /usr/bin/seuser
[root at hoho2 policy]#


On Mon, 24 May 2004 17:33:24 -0400, Kerl MacMillan wrote:
>> -----Original Message-----
>> From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-
>> bounces at redhat.com] On Behalf Of Bob Gustafson
>> Sent: Monday, May 24, 2004 2:33 PM
>> To: t.pitt at eris.qinetiq.com; Fedora SELinux support list for users &
>> developers.
>> Subject: Re: New user
>>
>> Some added information
>>
>>   [root at hoho2 user1]# ls -lZ /etc/security/selinux/src/policy/policy.conf
>> -rw-r--r--+ root     root
>>   system_u:object_r:policy_src_t
>> /etc/security/selinux/src/policy/policy.conf
>>
>>   [root at hoho2 user1]# cat /proc/version
>>   Linux version 2.6.6-1.377smp (bhcompile at tweety.build.redhat.com) (gcc
>> version 3.3.3 20040412 (Red Hat
>>   Linux 3.3.3-7)) #1 SMP Sat May 22 15:16:37 EDT 2004
>>
>>   [root at hoho2 user1]# which seuser
>>   /usr/bin/seuser
>>
>>   [root at hoho2 user1]# ls -lZ /usr/bin/seuser -rwxr-xr-x+ root     root
>> system_u:object_r:bin_t
>>   /usr/bin/seuser
>>   [root at hoho2 user1]#
>>
>
>This is part of the problem - seuser runs in its own domain so the binary
>needs to be labeled seuser_exec_t. Unfortunately it looks like seuser is
>quite broken on FC2. You can fix it by:
>
>1) mv /etc/security/selinux/src/policy/domains/program/unused/seuser.te to
>etc/security/selinux/src/policy/domains/program/seuser.te.
>
>2) edit /etc/security/selinux/src/policy/file_contexts/programs/seuser.fc
>changing "/usr/apol/seuser.conf" to "/usr/share/setools/seuser.conf".
>
>3) remake and reload the policy.
>
>4) run restorecon on /usr/bin/seuser and /usr/share/setools/seuser.conf
>
>This should make seuser behave properly. I'm not certain what is going on
>with the outdated fc file - we currently generate that file in our
>distribution of setools, but had been accidentally included an outdated
>version with the source. Probably someone just copied that old file
>(understandably). Hopefully we can get some of these fixes pushed out as an
>update - is the appropriate process to enter a bugzilla case with a patch?
>
>Karl
>
>Karl MacMillan
>Tresys Technology
>http://www.tresys.com
>(410)290-1411 ext 134
>
>> ------- previously sent a minute or so ago --
>>
>> You are further along ..
>>
>> I get
>>
>>   [root at hoho2 user1]# date
>>   Mon May 24 13:16:52 CDT 2004
>>   [root at hoho2 user1]# seuser show users
>>   Could not open policy.conf file
>>   [root at hoho2 user1]#
>>
>> I have FC2 installed clean with all updates (incl development) to this
>> moment (except for ppp - which is having a problem independent of
>> selinux).
>>
>> Booting with kernel boot parame 'selinux=1 enforcing=0' (not enforce=0..)
>> The boot was done just after a run of '/sbin/fixfiles relabel' at init
>> level 1.
>>
>> BobG
>>
>>
>> On Mon, 24 May 2004 16:13:48 +0100, Anthony Pitt wrote:
>> >Hi there,
>> >	I hope you can help. I've just installed 'Fedora COre2', with
>> Selinux
>> >enabled.
>> >Using 'seuser' I created a new 'defined' selinux user, with user_r role
>> >only. I also created the users /home/* directory under the same process.
>> >I'm using the 'gnome' window manager interface.
>> >Now when I try to log on with this new user, I get all sorts of errors to
>> >do with the users environment, eventually allowing me a blank interface,
>> >with 'right-click' functionality only.
>> >Any ideas?
>> >Tony.
>> >
>> >----------------------------------------------------------------------
>> >A D Pitt                            Ph:+44(0)1684 895757
>> >Rm B006 Woodward Building           Fax:+44(0)1684 896660
>> >QinetiQ
>email:t.pitt at eris.qinetiq.com
>> >Malvern Technology Centre,
>> >St Andrews Road
>> >Malvern
>> >Worcs.
>> >WR14 3PS
>> >
>> >URL:http://www.qinetiq.com/home_enterprise_security.html
>> >--
>> >fedora-selinux-list mailing list
>> >fedora-selinux-list at redhat.com
>> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list