SELinux: creating a per-user confined domain

Dominick Grift domg472 at gmail.com
Tue Sep 15 14:37:37 UTC 2009


On Tue, Sep 15, 2009 at 03:57:45PM +0200, Roberto Sassu wrote:
> Hello all
> 
> i'm new to SELinux. I'm trying to create per-user domains in a system running 
> Fedora 11 with the targeted policy enabled. The reason for that is that i need 
> to create transitions to different domains when users start the same 
> application.
> I followed these steps:
> - written my custom policy module(posted as attachment) in order to create new 
> roles user1_r, user2_r with the default domains user1_t and user2_t;
> - added to the system new selinux users user1_u and user2_u;
> - added to the system the new linux users user1 and user2;
> - associated user1 with user1_u and user2 with user2_u;
> - labeled home directories respectively with types user1_home_t and 
> user2_home_t
> - created the two files user1_u and user2_u in 
> /etc/selinux/targeted/contexts/users;
> 
> Then i tried to connect in local to the ssh server from root to the user1 but 
> it rejected the connection with this log messages (but no AVC warnings):
> 
> Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port 
> 53163 ssh2
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation 
> failed
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to 
> query: Would you like to enter a security context? [N]
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get 
> valid context for user1
> Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened 
> for user user1 by (uid=0)
> Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): 
> Authentication failure
> Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: 
> security_compute_relabel: Invalid argument
> 
> If putting the system in permissive mode the connection was successful but the 
> security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023
> Any suggestions? Thanks in advance.
> 
> 

> policy_module(usermod,1.0.0)
> 
> 
> userdom_base_user_template(user1)
> userdom_base_user_template(user2)
> 
> 
> access_to_home(user1)
> access_to_home(user2)
> 

> ## <summary></summary>
> 
> interface(`access_to_home',`
> 	require {
> 		type home_root_t;	
> 		type local_login_t, fs_t, proc_t, sshd_t;
> 	}
> 
> 	type $1_home_t;
> 
> 	type_transition $1_t $1_home_t:{file dir} $1_home_t;
> 
> 	allow local_login_t $1_home_t:dir search;
> 	allow $1_t $1_home_t:dir { write search read create open getattr add_name };
> 	allow $1_t $1_home_t:file { read write create open getattr append };
> 	allow $1_t home_root_t:dir { search read open getattr };
> 	allow $1_home_t fs_t:filesystem associate;
> 	allow $1_t proc_t:file { read open };
> 	allow sshd_t $1_home_t:dir search;
> ')
> 

> /home/user1(/.*)?			gen_context(user1_u:object_r:user1_home_t,s0)
> /home/user2(/.*)?			gen_context(user2_u:object_r:user2_home_t,s0)

> 
>                 Labeling   MLS/       MLS/                          
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> 
> guest_u         user       s0         s0                             guest_r
> root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
> staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r
> sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
> system_u        user       s0         s0-s0:c0.c1023                 system_r
> unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
> user1_u         user1      s0         s0                             user1_r
> user2_u         user2      s0         s0                             user2_r
> user4           user       s0         s0                             user_r
> user_u          user       s0         s0-s0:c0.c1023                 user_r
> xguest_u        user       s0         s0                             xguest_r

> 
> Login Name                SELinux User              MLS/MCS Range            
> 
> __default__               unconfined_u              s0-s0:c0.c1023           
> root                      unconfined_u              s0-s0:c0.c1023           
> system_u                  system_u                  s0-s0:c0.c1023           
> test1                     user_u                    s0                       
> user1                     user1_u                   s0                       
> user2                     user2_u                   s0                       
> user4                     user_u                    s0                       

My first thought is that there may be errors in the /etc/selinux/targeted/contexts/users/user{1_u,2_u} files.
My second thought is that it may have to do with your exotic home dir solution. I would not do that because it may require lots of policy and the results may not be so beneficial.

> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090915/59166cf9/attachment.sig>


More information about the fedora-selinux-list mailing list