New user - Not yet

Richard Hally rhally at mindspring.com
Tue May 25 03:22:49 UTC 2004 

Bob Gustafson wrote:

> I think I followed your instructions, but got the same result as before.
> Maybe you can see where I went wrong.
> 
> This is my 'audit tape'
> 
> [root at hoho2 init.d]# cd /etc/security/selinux/src/policy
> [root at hoho2 policy]# ls -l | grep drw
> drwx------  2 root root    4096 May 22 23:49 appconfig
> drwx------  4 root root    4096 May 22 23:49 domains
> drwxr-xr-x  4 root root    4096 May 22 23:50 file_contexts
> drwx------  2 root root    4096 May 22 23:49 flask
> drwx------  3 root root    4096 May 22 23:49 macros
> drwxr-xr-x  2 root root    4096 May 22 23:49 tmp
> drwx------  2 root root    4096 May 22 23:49 types
> 
> [root at hoho2 policy]# cd domains/program
> [root at hoho2 program]# ls -l
> total 1460
> ,,,
> -rw-------  1 root root   349 May 11 10:03 screensaver.te
> -rw-------  1 root root   357 May 11 10:03 screen.te
> -rw-------  1 root root  3645 May 11 10:03 sendmail.te
> -rw-------  1 root root  2093 May 11 10:03 setfiles.te
> -rw-------  1 root root  1630 May 11 10:03 slapd.te
> ...
> 
> Not here - as expected.
> 
> [root at hoho2 program]#
> 
> [root at hoho2 program]# ls -l unused
> total 76
> -rw-------  1 root root 13362 May 11 10:03 dpkg.te
> -rw-------  1 root root  1621 May 11 10:03 gatekeeper.te
> -rw-------  1 root root  7550 May 11 10:03 qmail.te
> -rw-------  1 root root  5283 May 11 10:03 seuser.te
> -rw-------  1 root root  1825 May 11 10:03 tinydns.te
> -rw-------  1 root root  1184 May 11 10:03 uml_net.te
> -rw-------  1 root root  2021 May 11 10:03 xprint.te
> 
> Step 1 - mv
> 
> [root at hoho2 program]# mv unused/seuser.te .
> [root at hoho2 program]#
> 
> [root at hoho2 program]# ls -l se*
> -rw-------  1 root root 3645 May 11 10:03 sendmail.te
> -rw-------  1 root root 2093 May 11 10:03 setfiles.te
> -rw-------  1 root root 5283 May 11 10:03 seuser.te
> 
> Now it is there
> 
> [root at hoho2 program]#
> 
> 
> [root at hoho2 program]# cd ..
> [root at hoho2 domains]# cd ..
> [root at hoho2 policy]# cd file_contexts
> [root at hoho2 file_contexts]# ls
> file_contexts  misc  program  types.fc
> 
> [root at hoho2 file_contexts]# cd programs
> bash: cd: programs: No such file or directory
> 
> [root at hoho2 file_contexts]# cd program
> [root at hoho2 program]# pwd
> /etc/security/selinux/src/policy/file_contexts/program
> 
> [root at hoho2 program]# vim seuser.fc
> 
> Step 2 - edit
> 
> [root at hoho2 program]# cat seuser.fc
> # seuser
> /usr/bin/seuser system_u:object_r:seuser_exec_t
> /usr/share/setools/seuser.conf system_u:object_r:seuser_conf_t
> 
> [root at hoho2 program]# cd /usr/share/setools
> [root at hoho2 setools]# ls -l seuser*
> -rw-r--r--  1 root root 1808 Apr 19 19:50 seuser.conf
> -rw-r--r--  1 root root 8980 Apr 19 19:50 seuser_help.txt
> [root at hoho2 setools]#
> 
> Step 3 - remake and reload
> 
> [root at hoho2 program]# cd /etc/security/selinux/src/policy
> 
> [root at hoho2 policy]# make 2>&1 | tee make.out
> ...
> ...
>  > policy.conf.tmp
> mv policy.conf.tmp policy.conf
> mkdir -p /etc/security/selinux
> /usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> security:  5 users, 7 roles, 1252 types, 1 bools
> security:  30 classes, 305363 rules
> /usr/bin/checkpolicy:  policy configuration loaded
> /usr/bin/checkpolicy:  writing binary representation (version 17) to
> /etc/security/selinux/policy.17
> Building file_contexts ...
> install -m 644 file_contexts/file_contexts /etc/security/selinux/file_contexts
> 
> 
> [root at hoho2 policy]# make reload 2>&1 | tee reload.out
> /usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers`
> touch tmp/load
> [root at hoho2 policy]#
> 
> [root at hoho2 setools]# cd /etc/security/selinux
> [root at hoho2 selinux]# ls -l
> total 29196
> -rw-r--r--  1 root root   87206 May 24 20:12 file_contexts
> -rw-r--r--  1 root root   88310 May 11 10:03 file_contexts.rpmnew
> -rw-r--r--  1 root root 7383775 May 20 21:37 policy.15.rpmsave
> -rw-r--r--  1 root root 7385512 May 20 21:37 policy.16.rpmsave
> -rw-r--r--  1 root root 7434273 May 24 20:12 policy.17
> -rw-r--r--  1 root root 7409751 May 11 10:03 policy.17.rpmnew
> drwx------  3 root root    4096 May 11 10:03 src
> [root at hoho2 selinux]#
> 
> policy.17 seems to have changed as expected
> 
> Setp 4 - run restorecon
> 
> [root at hoho2 policy]# /sbin/restorecon -v /usr/bin/seuser
> /sbin/restorecon set context /usr/bin/seuser->system_u:object_r:seuser_exec_t
> 
> [root at hoho2 policy]# /sbin/restorecon -v /usr/share/setools/seuser.conf
> /sbin/restorecon set context
> /usr/share/setools/seuser.conf->system_u:object_r:seuser_conf_t
> [root at hoho2 policy]#
> 
> Step 5 - test
> 
> [root at hoho2 policy]# which seuser
> /usr/bin/seuser
> 
> [root at hoho2 policy]# date
> Mon May 24 20:26:29 CDT 2004
> 
> [root at hoho2 policy]# seuser show users
> Could not open policy.conf file
> [root at hoho2 policy]# seuser show
> Could not open policy.conf file
> 
> Step 6 - extra information ?
> 
> [root at hoho2 policy]#
> [root at hoho2 policy]# ls -l /usr/bin/seuser
> -rwxr-xr-x  1 root root 106960 Apr 19 19:50 /usr/bin/seuser
> [root at hoho2 policy]#
> 
> 
> On Mon, 24 May 2004 17:33:24 -0400, Kerl MacMillan wrote:
> 
>>>-----Original Message-----
>>>From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-
>>>bounces at redhat.com] On Behalf Of Bob Gustafson
>>>Sent: Monday, May 24, 2004 2:33 PM
>>>To: t.pitt at eris.qinetiq.com; Fedora SELinux support list for users &
>>>developers.
>>>Subject: Re: New user
>>>
>>>Some added information
>>>
>>>  [root at hoho2 user1]# ls -lZ /etc/security/selinux/src/policy/policy.conf
>>>-rw-r--r--+ root     root
>>>  system_u:object_r:policy_src_t
>>>/etc/security/selinux/src/policy/policy.conf
>>>
>>>  [root at hoho2 user1]# cat /proc/version
>>>  Linux version 2.6.6-1.377smp (bhcompile at tweety.build.redhat.com) (gcc
>>>version 3.3.3 20040412 (Red Hat
>>>  Linux 3.3.3-7)) #1 SMP Sat May 22 15:16:37 EDT 2004
>>>
>>>  [root at hoho2 user1]# which seuser
>>>  /usr/bin/seuser
>>>
>>>  [root at hoho2 user1]# ls -lZ /usr/bin/seuser -rwxr-xr-x+ root     root
>>>system_u:object_r:bin_t
>>>  /usr/bin/seuser
>>>  [root at hoho2 user1]#
>>>
>>
>>This is part of the problem - seuser runs in its own domain so the binary
>>needs to be labeled seuser_exec_t. Unfortunately it looks like seuser is
>>quite broken on FC2. You can fix it by:
>>
>>1) mv /etc/security/selinux/src/policy/domains/program/unused/seuser.te to
>>etc/security/selinux/src/policy/domains/program/seuser.te.
>>
>>2) edit /etc/security/selinux/src/policy/file_contexts/programs/seuser.fc
>>changing "/usr/apol/seuser.conf" to "/usr/share/setools/seuser.conf".
>>
>>3) remake and reload the policy.
>>
>>4) run restorecon on /usr/bin/seuser and /usr/share/setools/seuser.conf
>>
>>This should make seuser behave properly. I'm not certain what is going on
>>with the outdated fc file - we currently generate that file in our
>>distribution of setools, but had been accidentally included an outdated
>>version with the source. Probably someone just copied that old file
>>(understandably). Hopefully we can get some of these fixes pushed out as an
>>update - is the appropriate process to enter a bugzilla case with a patch?
>>
>>Karl
>>
>>Karl MacMillan
>>Tresys Technology
>>http://www.tresys.com
>>(410)290-1411 ext 134
>>
>>
>>>------- previously sent a minute or so ago --
>>>
>>>You are further along ..
>>>
>>>I get
>>>
>>>  [root at hoho2 user1]# date
>>>  Mon May 24 13:16:52 CDT 2004
>>>  [root at hoho2 user1]# seuser show users
>>>  Could not open policy.conf file
>>>  [root at hoho2 user1]#
>>>
>>>I have FC2 installed clean with all updates (incl development) to this
>>>moment (except for ppp - which is having a problem independent of
>>>selinux).
>>>
>>>Booting with kernel boot parame 'selinux=1 enforcing=0' (not enforce=0..)
>>>The boot was done just after a run of '/sbin/fixfiles relabel' at init
>>>level 1.
>>>
>>>BobG
>>>
>>>
>>>On Mon, 24 May 2004 16:13:48 +0100, Anthony Pitt wrote:
>>>
>>>>Hi there,
>>>>	I hope you can help. I've just installed 'Fedora COre2', with
>>>
>>>Selinux
>>>
>>>>enabled.
>>>>Using 'seuser' I created a new 'defined' selinux user, with user_r role
>>>>only. I also created the users /home/* directory under the same process.
>>>>I'm using the 'gnome' window manager interface.
>>>>Now when I try to log on with this new user, I get all sorts of errors to
>>>>do with the users environment, eventually allowing me a blank interface,
>>>>with 'right-click' functionality only.
>>>>Any ideas?
>>>>Tony.
>>>>
>>>>----------------------------------------------------------------------
>>>>A D Pitt                            Ph:+44(0)1684 895757
>>>>Rm B006 Woodward Building           Fax:+44(0)1684 896660
>>>>QinetiQ
>>
>>email:t.pitt at eris.qinetiq.com
>>
>>>>Malvern Technology Centre,
>>>>St Andrews Road
>>>>Malvern
>>>>Worcs.
>>>>WR14 3PS
>>>>
>>>>URL:http://www.qinetiq.com/home_enterprise_security.html
>>>>--
>>>>fedora-selinux-list mailing list
>>>>fedora-selinux-list at redhat.com
>>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>--
>>>fedora-selinux-list mailing list
>>>fedora-selinux-list at redhat.com
>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>--
>>fedora-selinux-list mailing list
>>fedora-selinux-list at redhat.com
>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
I found one more step to be done. You need to edit 
/usr/share/setools/seuser.conf and change the line for policy.conf to
/etc/security/selinux/src/policy/policy.conf

i.e adding the /policy/ after src
HTH
Richard Hally

More information about the fedora-selinux-list mailing list