SELinux: creating a per-user confined domain

Roberto Sassu roberto.sassu at polito.it
Tue Sep 15 13:57:45 UTC 2009


Hello all

i'm new to SELinux. I'm trying to create per-user domains in a system running 
Fedora 11 with the targeted policy enabled. The reason for that is that i need 
to create transitions to different domains when users start the same 
application.
I followed these steps:
- written my custom policy module(posted as attachment) in order to create new 
roles user1_r, user2_r with the default domains user1_t and user2_t;
- added to the system new selinux users user1_u and user2_u;
- added to the system the new linux users user1 and user2;
- associated user1 with user1_u and user2 with user2_u;
- labeled home directories respectively with types user1_home_t and 
user2_home_t
- created the two files user1_u and user2_u in 
/etc/selinux/targeted/contexts/users;

Then i tried to connect in local to the ssh server from root to the user1 but 
it rejected the connection with this log messages (but no AVC warnings):

Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port 
53163 ssh2
Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation 
failed
Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to 
query: Would you like to enter a security context? [N]
Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get 
valid context for user1
Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened 
for user user1 by (uid=0)
Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): 
Authentication failure
Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: 
security_compute_relabel: Invalid argument

If putting the system in permissive mode the connection was successful but the 
security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023
Any suggestions? Thanks in advance.


-------------- next part --------------
policy_module(usermod,1.0.0)


userdom_base_user_template(user1)
userdom_base_user_template(user2)


access_to_home(user1)
access_to_home(user2)

-------------- next part --------------
## <summary></summary>

interface(`access_to_home',`
	require {
		type home_root_t;	
		type local_login_t, fs_t, proc_t, sshd_t;
	}

	type $1_home_t;

	type_transition $1_t $1_home_t:{file dir} $1_home_t;

	allow local_login_t $1_home_t:dir search;
	allow $1_t $1_home_t:dir { write search read create open getattr add_name };
	allow $1_t $1_home_t:file { read write create open getattr append };
	allow $1_t home_root_t:dir { search read open getattr };
	allow $1_home_t fs_t:filesystem associate;
	allow $1_t proc_t:file { read open };
	allow sshd_t $1_home_t:dir search;
')

-------------- next part --------------
/home/user1(/.*)?			gen_context(user1_u:object_r:user1_home_t,s0)
/home/user2(/.*)?			gen_context(user2_u:object_r:user2_home_t,s0)
-------------- next part --------------

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user1_u         user1      s0         s0                             user1_r
user2_u         user2      s0         s0                             user2_r
user4           user       s0         s0                             user_r
user_u          user       s0         s0-s0:c0.c1023                 user_r
xguest_u        user       s0         s0                             xguest_r
-------------- next part --------------

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0-s0:c0.c1023           
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023           
test1                     user_u                    s0                       
user1                     user1_u                   s0                       
user2                     user2_u                   s0                       
user4                     user_u                    s0                       


More information about the fedora-selinux-list mailing list