[DSE-User] mapping of linux users to selinux users fails on login

Philip Tricca phil at noggle.biz
Tue Nov 13 17:34:25 UTC 2007 

Thomas,

Thomas Bleher wrote:
> * Philip Tricca <phil at noggle.biz> [2007-11-05 18:18]:
>> I'm setting up a new lenny system with enforcing policy and my mapping 
>> of Linux users to SELinux users is failing on user login.  There's 
>> excellent documentation from Gentoo on using semanage to map logins 
>> appropriately and I'm following this from here:
>>
>> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=4
>>
>> For policy development I want a regular user (call him bob) that's in 
>> the staff_r and sysadm_r roles so that I can be in an unprivileged role 
>> when modifying policy files and in the sysadm_r role when I need to load 
>> policy / relabel files.  I've set this up previously on Fedora and 
>> Debian systems by using semanage like so:
>>
>> semanage login -a -s staff_u bob
>> restorecon /home/bob
>>
>> Currently this appears to update the selinux data store correctly 
>> (semanage login -l output looks right) and bobs homedir is relabeled 
>> correctly (staff_u:object_r:staff_home_dir_t) however when bob logs in 
>> he is still in the default user_u:user_r:user_t domain and not in the 
>> expected staff_u:staff_r:staff_t domain.
>>
>> I have set up the /etc/pam.d/login file as per the selinux wiki and 
>> receive no avc messages beyond the expected denials form having a shell 
>> starting in user_t attempting to access files from a homedir labeled 
>> staff_t.
>>
>> I'm at a bit of a loss as to where to start looking for the problem as 
>> everything seems to work correctly up to the transition done by login 
>> (but that's just me guessing based on my observations noted above).  I 
>> had done exactly this on a lenny system (strict) not too long ago. 
>> Either I've forgot a necessary step or something has broken (I'm hoping 
>> it's not the latter).
> 
> Last time I checked, the PAM version in Lenny and Sid was too old for
> this. I think (but don't have time to check right now) that you need a
> new version of pam_selinux.so. Upstream PAM already has the code IIRC
> (see http://www.kernel.org/pub/linux/libs/pam/ for the tarballs). It
> should be sufficient to just take the pam_selinux.so from the new
> upstream version if you want to stay as close as possible to Lenny.

Brilliant Thomas.  Your suggestion worked perfectly.  Now the hard part. 
  I'm not familiar with the Debian bug reporting policy (I should read 
the policy docs right?) but does this qualify as a bug against the 
Debian PAM package?

Thanks for the help,
- Philip

More information about the Selinux-user mailing list