Fwd: SELinux user login problem
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 2 15:03:33 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dominick Grift wrote:
> On Sat, 2009-02-28 at 17:05 +0530, prakash hallalli wrote:
>> Hi All,
>>
>> Thanks for replay to me. This is am getting audit messages
>> form /var/log/audit/audit.log.
>>
>> type=AVC msg=audit(1235820249.704:255): avc: denied { rlimitinh }
>> for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1235820249.704:255): avc: denied { noatsecure }
>> for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=SYSCALL msg=audit(1235820249.704:255): arch=c000003e syscall=59
>> success=yes exit=0 a0=402269 a1=7fff186d7030 a2=7fff186d9550 a3=22
>> items=0 ppid=1 pid=4296 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 comm="login" exe="/bin/login"
>> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
>> type=USER_AUTH msg=audit(1235820253.552:256): user pid=4296 uid=0
>> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='PAM: authentication acct="user1" : exe="/bin/login" (hostname=?,
>> addr=?, terminal=tty4 res=success)'
>> type=USER_ACCT msg=audit(1235820253.555:257): user pid=4296 uid=0
>> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='PAM: accounting acct="user1" : exe="/bin/login" (hostname=?,
>> addr=?, terminal=tty4 res=success)'
>> type=LOGIN msg=audit(1235820253.560:258): login pid=4296 uid=0 old
>> auid=4294967295 new auid=527
>> type=USER_ROLE_CHANGE msg=audit(1235820253.567:259): user pid=4296
>> uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='pam: default-context=prakash:prakash_r:prakash_t:s0
>> selected-context=prakash:prakash_r:prakash_t:s0:
>> exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)'
>> type=USER_START msg=audit(1235820253.568:260): user pid=4296 uid=0
>> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM:
>> session open acct="user1" : exe="/bin/login" (hostname=?, addr=?,
>> terminal=tty4 res=success)'
>> type=CRED_ACQ msg=audit(1235820253.568:261): user pid=4296 uid=0
>> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM:
>> setcred acct="user1" : exe="/bin/login" (hostname=?, addr=?,
>> terminal=tty4 res=success)'
>> type=USER_LOGIN msg=audit(1235820253.570:262): user pid=4296 uid=0
>> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> msg='uid=527: exe="/bin/login" (hostname=?, addr=?, terminal=tty4
>> res=success)'
>> type=AVC msg=audit(1235820275.060:263): avc: denied { siginh } for
>> pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1235820275.060:263): avc: denied { rlimitinh }
>> for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=AVC msg=audit(1235820275.060:263): avc: denied { noatsecure }
>> for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0
>> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
>> type=SYSCALL msg=audit(1235820275.060:263): arch=c000003e syscall=59
>> success=yes exit=0 a0=402269 a1=7fff1bcb84a0 a2=7fff1bcba9c0 a3=22
>> items=0 ppid=1 pid=4132 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="login" exe="/bin/login"
>> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
>>
>> Thanks,
>>
>> Prakah
>
> The issue is that RHEL5 targeted policy is not designed to target user
> domains.
>
> The avc denials that you provided do not give me a clue about what is
> stopping this from working.
>
> It may well be that the denials responsible is hidden.
>
> You can expose hidden denials using :
>
> # semodule -b /usr/share/selinux/targeted/enableaudit.pp
>
> To restore the defaults you would execute:
>
> # semodule -b /usr/share/selinux/targeted/base.pp
>
> After you have exposed the hidden avc denials you may be presented with
> more clues in audit.log as to what is stopping functionality.
>
> But again, the big issue here is that RHEL5 targeted policy is not
> designed to target users.
>
> This functionality does work in Fedora 9 and up.
>
> hth , Dominick
>
>> On Sat, Feb 28, 2009 at 12:36 AM, Daniel J Walsh <dwalsh at redhat.com>
>> wrote:
>>
> prakash hallalli wrote:
>> Hi All,
>
>> I am using CentOS-5 x86_64, I have followed what u
> have sent the
>> steps.
>> But still i am getting same user login problem. I am
> not able to
>> login
>> user properly in system.
>
>> These are i have followed the steps.
>
>> 1. Create a source policy module:-
>
>> #cd /home/prakash
>> #vi prakash.te
>> policy_module(prakash, 0.0.1)
>> role prakash_r;
>> userdom_unpriv_user_template(prakash);
>
>> 2. Build the source policy module:
>
>> #make -f /usr/share/selinux/devel/Makefile
>
>> 3. Install the binary policy module:
>
>> #semodule -i prakash.pp
>
>> 4. Create default contexts for prakash:
>
>> #cd /etc/selinux/targeted/contexts/users
>> #vi prakash
>> system_r:system_local_login_t:s0
> prakash_r:prakash_t:s0
>> system_r:remote_login_t:s0
> prakash_r:prakash_t:s0
>> system_r:sshd_t:s0
> prakash_r:prakash_t:s0
>> system_r:crond_t:s0
> prakash_r:prakash_t:s0
>> system_r:xdm_t:s0
> prakash_r:prakash_t:s0
>> prakash_r:prakash_su_t:s0
> prakash_r:prakash_t:s0
>> prakash_r:prakash_sudo_t:s0
> prakash_r:prakash_t:s0
>> system_r:initrc_su_t:s0
> prakash_r:prakash_t:s0
>> prakash_r:prakash_t:s0
> prakash_r:prakash_t:s0
>
>> 5. Create a SELinux user mapping for prakash:
>
>> #semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user
> prakash
>
>> 6. Add new prakash user for user1:
>
>> #useradd -Z prakash user1
>
>> 7. when i will try to login in the system, will get
> permission denied
>> message.
>
>> gtt login: user1
>> password: XXXXXX
>
>> -bash: /home/user1/.bash_profile: Permission denied
>> -bash-3.1$id
>> uid=524(user1) gid=525(user1) groups=525(user1)
>> context=prakash:prakash_r:prakash_t
>
>> I tryed to one more user then all so i got same problem.
> I am not sure
>> what i did the mistakes, Please help me what i have to do.
>
>> Thanks,
>> Prakash, k, h.
>
>> On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh
> <dwalsh at redhat.com> wrote:
>
>
>
>> prakash hallalli wrote:
>>>>> Hi All,
>>>>>
>>>>> I have created 'myuser' user and created custom
> module policy
>> for
>>>>> user.
>>>>> I have installed successfully module, but when i
> logging myuser in
>>>>> i will get bash prompt.
>>>>>
>>>>> I have followed as below steps for creating
> module.
>>>>>
>>>>> #vi myuser.te
>>>>> policy_module(myuser, 0.0.1)
>>>>> role myuser_r;
>>>>>
> userdom_unpriv_user_templete(myuser)
>>>>>
>>>>> #make -f /usr/share/selinux/devel/Makefile
>>>>> #sudo semodule i myuser.pp
>>>>> #semanage user a L s0 r s0s0 L "myuser1_r" P user
> myuser1
>>>>> #useradd Z myuser1 myuser1
>>>>>
>>>>> I did all the step when i try login in system following
> error will
>> display.
>>>>> gtt login: myuser
>>>>> password: XXXXXX
>>>>>
>>>>> -bash: /home/myuser/.bash_profile: Permission denied
>>>>> -bash-3.1$
>>>>>
>>>>> Please give what should i have to do.
>>>>>
>>>>> Thanks,
>>>>> Prakash.
>>>>>
>>>>>
>>>>>
>>>>>
> ------------------------------------------------------------------------
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>>
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Which OS and Version.
>
>> Depending on the policy you might need to relabe the homedir
> to get the
>> labels correct.
>
>> restorecon -R -v /home
>
>
>
>
> ------------------------------------------------------------------------
>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> Please attach the AVC messages from /var/log/audit/audit.log.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes if you want to write targeted user protection in RHEL5 you need to
use strict or MLS Policy not targeted.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmr9UUACgkQrlYvE4MpobMkngCfbwrbyLPXWG4YcuavTpqjKmRn
8HcAoI3VOr9k/DQbsPQXUmlHncGgHWAX
=0Hc+
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list