New user
Karl MacMillan
kmacmillan at tresys.com
Mon May 24 21:33:24 UTC 2004
> -----Original Message-----
> From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-
> bounces at redhat.com] On Behalf Of Bob Gustafson
> Sent: Monday, May 24, 2004 2:33 PM
> To: t.pitt at eris.qinetiq.com; Fedora SELinux support list for users &
> developers.
> Subject: Re: New user
>
> Some added information
>
> [root at hoho2 user1]# ls -lZ /etc/security/selinux/src/policy/policy.conf
> -rw-r--r--+ root root
> system_u:object_r:policy_src_t
> /etc/security/selinux/src/policy/policy.conf
>
> [root at hoho2 user1]# cat /proc/version
> Linux version 2.6.6-1.377smp (bhcompile at tweety.build.redhat.com) (gcc
> version 3.3.3 20040412 (Red Hat
> Linux 3.3.3-7)) #1 SMP Sat May 22 15:16:37 EDT 2004
>
> [root at hoho2 user1]# which seuser
> /usr/bin/seuser
>
> [root at hoho2 user1]# ls -lZ /usr/bin/seuser -rwxr-xr-x+ root root
> system_u:object_r:bin_t
> /usr/bin/seuser
> [root at hoho2 user1]#
>
This is part of the problem - seuser runs in its own domain so the binary
needs to be labeled seuser_exec_t. Unfortunately it looks like seuser is
quite broken on FC2. You can fix it by:
1) mv /etc/security/selinux/src/policy/domains/program/unused/seuser.te to
etc/security/selinux/src/policy/domains/program/seuser.te.
2) edit /etc/security/selinux/src/policy/file_contexts/programs/seuser.fc
changing "/usr/apol/seuser.conf" to "/usr/share/setools/seuser.conf".
3) remake and reload the policy.
4) run restorecon on /usr/bin/seuser and /usr/share/setools/seuser.conf
This should make seuser behave properly. I'm not certain what is going on
with the outdated fc file - we currently generate that file in our
distribution of setools, but had been accidentally included an outdated
version with the source. Probably someone just copied that old file
(understandably). Hopefully we can get some of these fixes pushed out as an
update - is the appropriate process to enter a bugzilla case with a patch?
Karl
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134
> ------- previously sent a minute or so ago --
>
> You are further along ..
>
> I get
>
> [root at hoho2 user1]# date
> Mon May 24 13:16:52 CDT 2004
> [root at hoho2 user1]# seuser show users
> Could not open policy.conf file
> [root at hoho2 user1]#
>
> I have FC2 installed clean with all updates (incl development) to this
> moment (except for ppp - which is having a problem independent of
> selinux).
>
> Booting with kernel boot parame 'selinux=1 enforcing=0' (not enforce=0..)
> The boot was done just after a run of '/sbin/fixfiles relabel' at init
> level 1.
>
> BobG
>
>
> On Mon, 24 May 2004 16:13:48 +0100, Anthony Pitt wrote:
> >Hi there,
> > I hope you can help. I've just installed 'Fedora COre2', with
> Selinux
> >enabled.
> >Using 'seuser' I created a new 'defined' selinux user, with user_r role
> >only. I also created the users /home/* directory under the same process.
> >I'm using the 'gnome' window manager interface.
> >Now when I try to log on with this new user, I get all sorts of errors to
> >do with the users environment, eventually allowing me a blank interface,
> >with 'right-click' functionality only.
> >Any ideas?
> >Tony.
> >
> >----------------------------------------------------------------------
> >A D Pitt Ph:+44(0)1684 895757
> >Rm B006 Woodward Building Fax:+44(0)1684 896660
> >QinetiQ
email:t.pitt at eris.qinetiq.com
> >Malvern Technology Centre,
> >St Andrews Road
> >Malvern
> >Worcs.
> >WR14 3PS
> >
> >URL:http://www.qinetiq.com/home_enterprise_security.html
> >--
> >fedora-selinux-list mailing list
> >fedora-selinux-list at redhat.com
> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list