SELinux: creating a per-user confined domain
Daniel J Walsh
dwalsh at redhat.com
Tue Sep 15 15:40:59 UTC 2009
On 09/15/2009 09:57 AM, Roberto Sassu wrote:
> Hello all
>
> i'm new to SELinux. I'm trying to create per-user domains in a system running
> Fedora 11 with the targeted policy enabled. The reason for that is that i need
> to create transitions to different domains when users start the same
> application.
> I followed these steps:
> - written my custom policy module(posted as attachment) in order to create new
> roles user1_r, user2_r with the default domains user1_t and user2_t;
> - added to the system new selinux users user1_u and user2_u;
> - added to the system the new linux users user1 and user2;
> - associated user1 with user1_u and user2 with user2_u;
> - labeled home directories respectively with types user1_home_t and
> user2_home_t
> - created the two files user1_u and user2_u in
> /etc/selinux/targeted/contexts/users;
>
> Then i tried to connect in local to the ssh server from root to the user1 but
> it rejected the connection with this log messages (but no AVC warnings):
>
> Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port
> 53163 ssh2
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation
> failed
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to
> query: Would you like to enter a security context? [N]
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get
> valid context for user1
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened
> for user user1 by (uid=0)
> Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session():
> Authentication failure
> Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty:
> security_compute_relabel: Invalid argument
>
> If putting the system in permissive mode the connection was successful but the
> security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023
> Any suggestions? Thanks in advance.
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You probably need to create /etc/selinux/targeted/context/user1 and user2
Base these off of xguest
I am not crazy about having home content variable between users, I think this is a waste of time. Others disagree.
More information about the fedora-selinux-list
mailing list