SELinux: creating a per-user confined domain

Daniel J Walsh dwalsh at redhat.com
Tue Sep 15 15:40:59 UTC 2009 

On 09/15/2009 09:57 AM, Roberto Sassu wrote:
> Hello all
> 
> i'm new to SELinux. I'm trying to create per-user domains in a system running 
> Fedora 11 with the targeted policy enabled. The reason for that is that i need 
> to create transitions to different domains when users start the same 
> application.
> I followed these steps:
> - written my custom policy module(posted as attachment) in order to create new 
> roles user1_r, user2_r with the default domains user1_t and user2_t;
> - added to the system new selinux users user1_u and user2_u;
> - added to the system the new linux users user1 and user2;
> - associated user1 with user1_u and user2 with user2_u;
> - labeled home directories respectively with types user1_home_t and 
> user2_home_t
> - created the two files user1_u and user2_u in 
> /etc/selinux/targeted/contexts/users;
> 
> Then i tried to connect in local to the ssh server from root to the user1 but 
> it rejected the connection with this log messages (but no AVC warnings):
> 
> Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port 
> 53163 ssh2
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation 
> failed
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to 
> query: Would you like to enter a security context? [N]
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get 
> valid context for user1
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened 
> for user user1 by (uid=0)
> Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): 
> Authentication failure
> Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: 
> security_compute_relabel: Invalid argument
> 
> If putting the system in permissive mode the connection was successful but the 
> security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023
> Any suggestions? Thanks in advance.
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You probably need to create /etc/selinux/targeted/context/user1 and user2

Base these off of xguest

I am not crazy about having home content variable between users, I think this is a waste of time.  Others disagree.

More information about the fedora-selinux-list mailing list