SELinux: creating a per-user confined domain
Roberto Sassu
roberto.sassu at polito.it
Tue Sep 15 13:57:45 UTC 2009
Hello all
i'm new to SELinux. I'm trying to create per-user domains in a system running
Fedora 11 with the targeted policy enabled. The reason for that is that i need
to create transitions to different domains when users start the same
application.
I followed these steps:
- written my custom policy module(posted as attachment) in order to create new
roles user1_r, user2_r with the default domains user1_t and user2_t;
- added to the system new selinux users user1_u and user2_u;
- added to the system the new linux users user1 and user2;
- associated user1 with user1_u and user2 with user2_u;
- labeled home directories respectively with types user1_home_t and
user2_home_t
- created the two files user1_u and user2_u in
/etc/selinux/targeted/contexts/users;
Then i tried to connect in local to the ssh server from root to the user1 but
it rejected the connection with this log messages (but no AVC warnings):
Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port
53163 ssh2
Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation
failed
Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to
query: Would you like to enter a security context? [N]
Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get
valid context for user1
Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened
for user user1 by (uid=0)
Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session():
Authentication failure
Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty:
security_compute_relabel: Invalid argument
If putting the system in permissive mode the connection was successful but the
security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023
Any suggestions? Thanks in advance.
-------------- next part --------------
policy_module(usermod,1.0.0)
userdom_base_user_template(user1)
userdom_base_user_template(user2)
access_to_home(user1)
access_to_home(user2)
-------------- next part --------------
## <summary></summary>
interface(`access_to_home',`
require {
type home_root_t;
type local_login_t, fs_t, proc_t, sshd_t;
}
type $1_home_t;
type_transition $1_t $1_home_t:{file dir} $1_home_t;
allow local_login_t $1_home_t:dir search;
allow $1_t $1_home_t:dir { write search read create open getattr add_name };
allow $1_t $1_home_t:file { read write create open getattr append };
allow $1_t home_root_t:dir { search read open getattr };
allow $1_home_t fs_t:filesystem associate;
allow $1_t proc_t:file { read open };
allow sshd_t $1_home_t:dir search;
')
-------------- next part --------------
/home/user1(/.*)? gen_context(user1_u:object_r:user1_home_t,s0)
/home/user2(/.*)? gen_context(user2_u:object_r:user2_home_t,s0)
-------------- next part --------------
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user1_u user1 s0 s0 user1_r
user2_u user2 s0 s0 user2_r
user4 user s0 s0 user_r
user_u user s0 s0-s0:c0.c1023 user_r
xguest_u user s0 s0 xguest_r
-------------- next part --------------
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
test1 user_u s0
user1 user1_u s0
user2 user2_u s0
user4 user_u s0
More information about the fedora-selinux-list
mailing list