[DSE-User] mapping of linux users to selinux users fails on login

Thomas Bleher ThomasBleher at gmx.de
Tue Nov 6 07:26:56 UTC 2007 

* Philip Tricca <phil at noggle.biz> [2007-11-05 18:18]:
> I'm setting up a new lenny system with enforcing policy and my mapping 
> of Linux users to SELinux users is failing on user login.  There's 
> excellent documentation from Gentoo on using semanage to map logins 
> appropriately and I'm following this from here:
> 
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=4
> 
> For policy development I want a regular user (call him bob) that's in 
> the staff_r and sysadm_r roles so that I can be in an unprivileged role 
> when modifying policy files and in the sysadm_r role when I need to load 
> policy / relabel files.  I've set this up previously on Fedora and 
> Debian systems by using semanage like so:
> 
> semanage login -a -s staff_u bob
> restorecon /home/bob
> 
> Currently this appears to update the selinux data store correctly 
> (semanage login -l output looks right) and bobs homedir is relabeled 
> correctly (staff_u:object_r:staff_home_dir_t) however when bob logs in 
> he is still in the default user_u:user_r:user_t domain and not in the 
> expected staff_u:staff_r:staff_t domain.
> 
> I have set up the /etc/pam.d/login file as per the selinux wiki and 
> receive no avc messages beyond the expected denials form having a shell 
> starting in user_t attempting to access files from a homedir labeled 
> staff_t.
> 
> I'm at a bit of a loss as to where to start looking for the problem as 
> everything seems to work correctly up to the transition done by login 
> (but that's just me guessing based on my observations noted above).  I 
> had done exactly this on a lenny system (strict) not too long ago. 
> Either I've forgot a necessary step or something has broken (I'm hoping 
> it's not the latter).

Last time I checked, the PAM version in Lenny and Sid was too old for
this. I think (but don't have time to check right now) that you need a
new version of pam_selinux.so. Upstream PAM already has the code IIRC
(see http://www.kernel.org/pub/linux/libs/pam/ for the tarballs). It
should be sufficient to just take the pam_selinux.so from the new
upstream version if you want to stay as close as possible to Lenny.

Regards,
Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/selinux-user/attachments/20071106/dbe75e1c/attachment.pgp

More information about the Selinux-user mailing list