Fwd: SELinux user login problem

Daniel J Walsh dwalsh at redhat.com
Mon Mar 2 15:03:33 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dominick Grift wrote:
> On Sat, 2009-02-28 at 17:05 +0530, prakash hallalli wrote:
>> Hi All,
>>   
>> Thanks for replay to me.   This is am getting audit messages
>> form /var/log/audit/audit.log.
>>
>> type=AVC msg=audit(1235820249.704:255): avc:  denied  { rlimitinh }
>> for  pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1235820249.704:255): avc:  denied  { noatsecure }
>> for  pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=SYSCALL msg=audit(1235820249.704:255): arch=c000003e syscall=59
>> success=yes exit=0 a0=402269 a1=7fff186d7030 a2=7fff186d9550 a3=22
>> items=0 ppid=1 pid=4296 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 comm="login" exe="/bin/login"
>> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
>> type=USER_AUTH msg=audit(1235820253.552:256): user pid=4296 uid=0
>> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='PAM: authentication acct="user1" : exe="/bin/login" (hostname=?,
>> addr=?, terminal=tty4 res=success)'
>> type=USER_ACCT msg=audit(1235820253.555:257): user pid=4296 uid=0
>> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='PAM: accounting acct="user1" : exe="/bin/login" (hostname=?,
>> addr=?, terminal=tty4 res=success)'
>> type=LOGIN msg=audit(1235820253.560:258): login pid=4296 uid=0 old
>> auid=4294967295 new auid=527
>> type=USER_ROLE_CHANGE msg=audit(1235820253.567:259): user pid=4296
>> uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='pam: default-context=prakash:prakash_r:prakash_t:s0
>> selected-context=prakash:prakash_r:prakash_t:s0:
>> exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)'
>> type=USER_START msg=audit(1235820253.568:260): user pid=4296 uid=0
>> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM:
>> session open acct="user1" : exe="/bin/login" (hostname=?, addr=?,
>> terminal=tty4 res=success)'
>> type=CRED_ACQ msg=audit(1235820253.568:261): user pid=4296 uid=0
>> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM:
>> setcred acct="user1" : exe="/bin/login" (hostname=?, addr=?,
>> terminal=tty4 res=success)'
>> type=USER_LOGIN msg=audit(1235820253.570:262): user pid=4296 uid=0
>> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='uid=527: exe="/bin/login" (hostname=?, addr=?, terminal=tty4
>> res=success)'
>> type=AVC msg=audit(1235820275.060:263): avc:  denied  { siginh } for
>> pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1235820275.060:263): avc:  denied  { rlimitinh }
>> for  pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1235820275.060:263): avc:  denied  { noatsecure }
>> for  pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=SYSCALL msg=audit(1235820275.060:263): arch=c000003e syscall=59
>> success=yes exit=0 a0=402269 a1=7fff1bcb84a0 a2=7fff1bcba9c0 a3=22
>> items=0 ppid=1 pid=4132 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="login" exe="/bin/login"
>> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
>>
>> Thanks,
>>
>> Prakah
> 
> The issue is that RHEL5 targeted policy is not designed to target user
> domains.
> 
> The avc denials that you provided do not give me a clue about what is
> stopping this from working.
> 
> It may well be that the denials responsible is hidden.
> 
> You can expose hidden denials using :
> 
> # semodule -b /usr/share/selinux/targeted/enableaudit.pp
> 
> To restore the defaults you would execute:
> 
> # semodule -b /usr/share/selinux/targeted/base.pp
> 
> After you have exposed the hidden avc denials you may be presented with
> more clues in audit.log as to what is stopping functionality.
> 
> But again, the big issue here is that RHEL5 targeted policy is not
> designed to target users.
> 
> This functionality does work in Fedora 9 and up.
> 
> hth , Dominick
> 
>> On Sat, Feb 28, 2009 at 12:36 AM, Daniel J Walsh <dwalsh at redhat.com>
>> wrote:
>>         
> prakash hallalli wrote:
>> Hi All,
> 
>>         I am using CentOS-5 x86_64, I have followed what u
> have sent the
>> steps.
>>         But still i am getting same user login problem. I am
> not able to
>> login
>>         user properly in system.
> 
>>       These are i have followed the steps.
> 
>>      1. Create a source policy module:-
> 
>>       #cd /home/prakash
>>       #vi prakash.te
>>         policy_module(prakash, 0.0.1)
>>         role prakash_r;
>>         userdom_unpriv_user_template(prakash);
> 
>>        2. Build the source policy module:
> 
>>         #make -f /usr/share/selinux/devel/Makefile
> 
>>        3. Install the binary policy module:
> 
>>        #semodule -i prakash.pp
> 
>>      4. Create default contexts for prakash:
> 
>>        #cd /etc/selinux/targeted/contexts/users
>>        #vi prakash
>>         system_r:system_local_login_t:s0
> prakash_r:prakash_t:s0
>>         system_r:remote_login_t:s0
> prakash_r:prakash_t:s0
>>         system_r:sshd_t:s0
>  prakash_r:prakash_t:s0
>>         system_r:crond_t:s0
> prakash_r:prakash_t:s0
>>         system_r:xdm_t:s0
> prakash_r:prakash_t:s0
>>         prakash_r:prakash_su_t:s0
>  prakash_r:prakash_t:s0
>>         prakash_r:prakash_sudo_t:s0
>  prakash_r:prakash_t:s0
>>         system_r:initrc_su_t:s0
> prakash_r:prakash_t:s0
>>         prakash_r:prakash_t:s0
> prakash_r:prakash_t:s0
> 
>> 5. Create a SELinux user mapping for prakash:
> 
>>      #semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user
> prakash
> 
>> 6. Add new prakash user for user1:
> 
>>      #useradd -Z prakash user1
> 
>> 7. when i will try to login in the system, will get
> permission denied
>> message.
> 
>> gtt login: user1
>> password: XXXXXX
> 
>>  -bash:  /home/user1/.bash_profile: Permission denied
>> -bash-3.1$id
>> uid=524(user1) gid=525(user1) groups=525(user1)
>> context=prakash:prakash_r:prakash_t
> 
>>   I tryed  to one more user then all so i got same problem.
> I am not sure
>> what i did  the mistakes, Please help me what i have to do.
> 
>> Thanks,
>> Prakash, k, h.
> 
>> On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh
> <dwalsh at redhat.com> wrote:
> 
> 
> 
>> prakash hallalli wrote:
>>>>> Hi All,
>>>>>
>>>>>        I have created 'myuser'  user and  created custom
> module policy
>> for
>>>>> user.
>>>>>        I have installed successfully module, but when i
> logging myuser in
>>>>>     i will get bash prompt.
>>>>>
>>>>>        I have followed  as below steps for creating
> module.
>>>>>
>>>>>    #vi myuser.te
>>>>>                          policy_module(myuser, 0.0.1)
>>>>>                          role myuser_r;
>>>>>
>  userdom_unpriv_user_templete(myuser)
>>>>>
>>>>> #make ­-f /usr/share/selinux/devel/Makefile
>>>>> #sudo semodule ­i myuser.pp
>>>>> #semanage user ­a ­L s0 ­r s0­s0 ­L "myuser1_r" ­P user
> myuser1
>>>>> #useradd ­Z myuser1 myuser1
>>>>>
>>>>> I did all the step when i try login in system following
> error will
>> display.
>>>>> gtt login: myuser
>>>>> password: XXXXXX
>>>>>
>>>>> -bash:  /home/myuser/.bash_profile: Permission denied
>>>>> -bash-3.1$
>>>>>
>>>>> Please give what should i have to do.
>>>>>
>>>>> Thanks,
>>>>> Prakash.
>>>>>
>>>>>
>>>>>
>>>>>
> ------------------------------------------------------------------------
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>>
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Which OS and Version.
> 
>> Depending on the policy you might need to relabe the homedir
> to get the
>> labels correct.
> 
>> restorecon -R -v /home
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
> Please attach the AVC messages from /var/log/audit/audit.log.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Yes if you want to write targeted user protection in RHEL5 you need to
use strict or MLS Policy not targeted.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmr9UUACgkQrlYvE4MpobMkngCfbwrbyLPXWG4YcuavTpqjKmRn
8HcAoI3VOr9k/DQbsPQXUmlHncGgHWAX
=0Hc+
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list