SELinux: creating a per-user confined domain
Dominick Grift
domg472 at gmail.com
Tue Sep 15 14:37:37 UTC 2009
On Tue, Sep 15, 2009 at 03:57:45PM +0200, Roberto Sassu wrote:
> Hello all
>
> i'm new to SELinux. I'm trying to create per-user domains in a system running
> Fedora 11 with the targeted policy enabled. The reason for that is that i need
> to create transitions to different domains when users start the same
> application.
> I followed these steps:
> - written my custom policy module(posted as attachment) in order to create new
> roles user1_r, user2_r with the default domains user1_t and user2_t;
> - added to the system new selinux users user1_u and user2_u;
> - added to the system the new linux users user1 and user2;
> - associated user1 with user1_u and user2 with user2_u;
> - labeled home directories respectively with types user1_home_t and
> user2_home_t
> - created the two files user1_u and user2_u in
> /etc/selinux/targeted/contexts/users;
>
> Then i tried to connect in local to the ssh server from root to the user1 but
> it rejected the connection with this log messages (but no AVC warnings):
>
> Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port
> 53163 ssh2
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation
> failed
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to
> query: Would you like to enter a security context? [N]
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get
> valid context for user1
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened
> for user user1 by (uid=0)
> Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session():
> Authentication failure
> Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty:
> security_compute_relabel: Invalid argument
>
> If putting the system in permissive mode the connection was successful but the
> security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023
> Any suggestions? Thanks in advance.
>
>
> policy_module(usermod,1.0.0)
>
>
> userdom_base_user_template(user1)
> userdom_base_user_template(user2)
>
>
> access_to_home(user1)
> access_to_home(user2)
>
> ## <summary></summary>
>
> interface(`access_to_home',`
> require {
> type home_root_t;
> type local_login_t, fs_t, proc_t, sshd_t;
> }
>
> type $1_home_t;
>
> type_transition $1_t $1_home_t:{file dir} $1_home_t;
>
> allow local_login_t $1_home_t:dir search;
> allow $1_t $1_home_t:dir { write search read create open getattr add_name };
> allow $1_t $1_home_t:file { read write create open getattr append };
> allow $1_t home_root_t:dir { search read open getattr };
> allow $1_home_t fs_t:filesystem associate;
> allow $1_t proc_t:file { read open };
> allow sshd_t $1_home_t:dir search;
> ')
>
> /home/user1(/.*)? gen_context(user1_u:object_r:user1_home_t,s0)
> /home/user2(/.*)? gen_context(user2_u:object_r:user2_home_t,s0)
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range SELinux Roles
>
> guest_u user s0 s0 guest_r
> root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
> staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r
> sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
> system_u user s0 s0-s0:c0.c1023 system_r
> unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
> user1_u user1 s0 s0 user1_r
> user2_u user2 s0 s0 user2_r
> user4 user s0 s0 user_r
> user_u user s0 s0-s0:c0.c1023 user_r
> xguest_u user s0 s0 xguest_r
>
> Login Name SELinux User MLS/MCS Range
>
> __default__ unconfined_u s0-s0:c0.c1023
> root unconfined_u s0-s0:c0.c1023
> system_u system_u s0-s0:c0.c1023
> test1 user_u s0
> user1 user1_u s0
> user2 user2_u s0
> user4 user_u s0
My first thought is that there may be errors in the /etc/selinux/targeted/contexts/users/user{1_u,2_u} files.
My second thought is that it may have to do with your exotic home dir solution. I would not do that because it may require lots of policy and the results may not be so beneficial.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090915/59166cf9/attachment.sig>
More information about the fedora-selinux-list
mailing list