Hi all,
I've got some more questions about refpolicy-20081210 with MLS enabled,
the machine is i686 32-bit and I am logging in through serial console
which in turn is mapped to the system console.
I have created a staff_u user named "harry" and set up his home directory
properly, why /home/harry/ directory is labeled as "user_u" rather than
"staff_u"?
The more interesting thing is, I could log harry in by ssh either from
localhost or from another remote machine, harry could log in with
the "staff_u:staff_r:staff_t" context properly. However, I am unable to
log in with harry locally at the login prompt with the default staff_r role,
the mingetty program seems to have exited abnormally, but the screen has
flashed too quickly to catch up any error messages.
BTW, unprivileged user mapped to user_u could log in with default user_u
at the login prompt.
Moreover, if harry picks up other roles than staff_r, say sysadm_r, then
it can log in locally at the login prompt, and sysadm_r would fail to
newrole to staff_r although newrole seems to have exited uneventfully.
Details are logged below, any comments are greatly appreciated!
Best regards,
Harry
---
1, why /home/harry labeled as "user_u" rather than "staff_u"?
[root/sysadm_r/s0 at d610-2 ~]# tty
/dev/console
[root/sysadm_r/s0 at d610-2 ~]# ls -Z `tty`
crw--w---- root tty root:object_r:console_device_t:s0 /dev/console
[root/sysadm_r/s0 at d610-2 ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
harry staff_u s0-s15:c0.c255
root root s0-s15:c0.c255
system_u system_u s0-s15:c0.c255
[root/sysadm_r/s0 at d610-2 ~]# ssh harry at localhost
Password:
Last login: Wed Aug 12 20:23:00 2009 from localhost
harry at d610-2:~$ id -Z
staff_u:staff_r:staff_t:s0-s15:c0.c255
harry at d610-2:~$ ls -Z /home | grep harry
drwxr-xr-x harry harry user_u:object_r:user_home_dir_t:s0-s15:c0.c255 harry
harry at d610-2:~$
2, why the staff user can't locally login with the default staff_r?
d610-2 login: harry
Password:
Default Security Context staff_u:staff_r:staff_t:s0-s15:c0.c255
Would you like to enter a different role or level? [n] y
role: [staff_r] sysadm_r
level: [s0-s15:c0.c255]
Last login: Wed Aug 12 23:54:24 on console
harry at d610-2:~$ id -Z
staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255
harry at d610-2:~$ newrole -r staff_r
Password: # newrole didn't fail, but
harry at d610-2:~$ id -Z # role remained as sysadm_r
staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255
harry at d610-2:~$ newrole -r secadm_r
Password:
harry at d610-2:~$ id -Z
staff_u:secadm_r:secadm_t:s0-s15:c0.c255
harry at d610-2:~$
_________________________________________________________________
???????,????????,??MClub????????????
http://club.msn.cn/?from=3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090812/443e4374/attachment.html
On Wed, 2009-08-12 at 09:26 +0000, TaurusHarry wrote:
> I've got some more questions about refpolicy-20081210 with MLS enabled,
> the machine is i686 32-bit and I am logging in through serial console
> which in turn is mapped to the system console.
>
> I have created a staff_u user named "harry" and set up his home directory
> properly, why /home/harry/ directory is labeled as "user_u" rather than
> "staff_u"?
What do you mean by "set up his home directory"? How is the directory
labeled after a restorecon?
> The more interesting thing is, I could log harry in by ssh either from
> localhost or from another remote machine, harry could log in with
> the "staff_u:staff_r:staff_t" context properly. However, I am unable to
> log in with harry locally at the login prompt with the default staff_r role,
> the mingetty program seems to have exited abnormally, but the screen has
> flashed too quickly to catch up any error messages.
Are you still using packages you compiled yourself? Does your
pam-selinux use getseuserbyname?
> BTW, unprivileged user mapped to user_u could log in with default user_u
> at the login prompt.
That sounds correct to me; mapping a linux user to user_u means they
should log in as user_u.
> Moreover, if harry picks up other roles than staff_r, say sysadm_r, then
> it can log in locally at the login prompt, and sysadm_r would fail to
> newrole to staff_r although newrole seems to have exited uneventfully.
Not clear why this is happening; the policy certainly allows this.
[...]
> 1, why /home/harry labeled as "user_u" rather than "staff_u"?
> [root/sysadm_r/s0 at d610-2 ~]# tty
> /dev/console
> [root/sysadm_r/s0 at d610-2 ~]# ls -Z `tty`
> crw--w---- root tty root:object_r:console_device_t:s0 /dev/console
> [root/sysadm_r/s0 at d610-2 ~]# semanage login -l
>
> Login Name SELinux User MLS/MCS Range
>
> __default__ user_u s0
> harry staff_u s0-s15:c0.c255
> root root s 0-s15:c0.c255
> system_u system_u s0-s15:c0.c255
> [root/sysadm_r/s0 at d610-2 ~]# ssh harry at localhost
> Password:
> Last login: Wed Aug 12 20:23:00 2009 from localhost
>
> harry at d610-2:~$ id -Z
> staff_u:staff_r:staff_t:s0-s15:c0.c255
> harry at d610-2:~$ ls -Z /home | grep harry
> drwxr-xr-x harry harry user_u:object_r:user_home_dir_t:s0-s15:c0.c255 harry
> harry at d610-2:~$
>
> 2, why the staff user can't locally login with the default staff_r?
> d610-2 login: harry
> Pa ssword:
> Default Security Context staff_u:staff_r:staff_t:s0-s15:c0.c255
>
> Would you like to enter a different role or level? [n] y
> role: [staff_r] sysadm_r
> level: [s0-s15:c0.c255]
> Last login: Wed Aug 12 23:54:24 on console
>
> harry at d610-2:~$ id -Z
> staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255
> harry at d610-2:~$ newrole -r staff_r
> Password: # newrole didn't fail, but
> harry at d610-2:~$ id -Z # role remained as sysadm_r
> staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255
> harry at d610-2:~$ newrole -r secadm_r
> Password:
> harry at d610-2:~$ id -Z
> staff_u:secadm_r:secadm_t:s0-s15:c0.c255<
> br> harry at d610-2:~$
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
Hi Chris,
I've made a mistake, the staff_u user "harry"'s home directory does have been labeled as "staff_u" after genhomedircon and restorecon, and the newly created file or directory would be labeled as "staff_u" too:
harry at d610-2:~$ ls -Z /home | grep harry
drwx------ harry harry staff_u:object_r:user_home_dir_t:s0-s15:c0.c255 harry
harry at d610-2:~$ ls -Z
-rw-r--r-- harry harry system_u:object_r:user_home_t:s0 3
harry at d610-2:~$ touch 1
harry at d610-2:~$ mkdir 2
harry at d610-2:~$ ls -Z
-rw-r--r-- harry harry staff_u:object_r:user_home_t:s0 1
drwxr-xr-x harry harry staff_u:object_r:user_home_t:s0 2
harry at d610-2:~$
I think the security contexts for /home/harry/* are correct. However, this problem persists that local log harry in at the login prompt will fail with the default role of staff_r. The fact that assuming other roles than staff_r would successfully login makes me wonder that staff_t may lack necessary permission during login, then I found below AVC denied messages from the audit log:
[root/auditadm_r/s15:c0.c255 at d610-2 ~]# ausearch -su staff_u:staff_r:staff_t:s0-s15:c0.c255 -c bash -f /dev/console
----
time->Thu Aug 13 17:42:25 2009
type=SYSCALL msg=audit(1250185345.048:1115): arch=40000003 syscall=11 success=yes exit=0 a0=8056528 a1=bfffd4d8 a2=8057fc0 a3=bfffd4ff items=0 ppid=3755 pid=3762 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=156 comm="bash" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s15:c0.c255 key=(null)
type=AVC msg=audit(1250185345.048:1115): avc: denied { read write } for pid=3762 comm="bash" path="/dev/console" dev=sda1 ino=8356 scontext=staff_u:staff_r:staff_t:s0-s15:c0.c255 tcontext=staff_u:object_r:console_device_t:s0 tclass=chr_file
type=AVC msg=audit(1250185345.048:1115): avc: denied { read write } for pid=3762 comm="bash" path="/dev/console" dev=sda1 ino=8356 scontext=staff_u:staff_r:staff_t:s0-s15:c0.c255 tcontext=staff_u:object_r:console_device_t:s0 tclass=chr_file
type=AVC msg=audit(1250185345.048:1115): avc: denied { read write } for pid=3762 comm="bash" path="/dev/console" dev=sda1 ino=8356 scontext=staff_u:staff_r:staff_t:s0-s15:c0.c255 tcontext=staff_u:object_r:console_device_t:s0 tclass=chr_file
type=AVC msg=audit(1250185345.048:1115): avc: denied { read write } for pid=3762 comm="bash" name="console" dev=sda1 ino=8356 scontext=staff_u:staff_r:staff_t:s0-s15:c0.c255 tcontext=staff_u:object_r:console_device_t:s0 tclass=chr_file
[root/auditadm_r/s15:c0.c255 at d610-2 ~]#
The above messages seem to be able to prove my guess that staff_t just has no enough permissions to the system console, and after I modified staff.te adding the call of term_use_console() interface for staff_t, the staff user "harry" could finally local log in with the default staff_r role.
What's your comments on this? thanks!
Best regards,
Harry
> Subject: Re: [refpolicy] Questions about the staff_u user in refpolicy-20081210
> From: cpebenito at tresys.com
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss.tresys.com
> Date: Wed, 12 Aug 2009 08:55:04 -0400
>
> On Wed, 2009-08-12 at 09:26 +0000, TaurusHarry wrote:
> > I've got some more questions about refpolicy-20081210 with MLS enabled,
> > the machine is i686 32-bit and I am logging in through serial console
> > which in turn is mapped to the system console.
> >
> > I have created a staff_u user named "harry" and set up his home directory
> > properly, why /home/harry/ directory is labeled as "user_u" rather than
> > "staff_u"?
>
> What do you mean by "set up his home directory"? How is the directory
> labeled after a restorecon?
>
> > The more interesting thing is, I could log harry in by ssh either from
> > localhost or from another remote machine, harry could log in with
> > the "staff_u:staff_r:staff_t" context properly. However, I am unable to
> > log in with harry locally at the login prompt with the default staff_r role,
> > the mingetty program seems to have exited abnormally, but the screen has
> > flashed too quickly to catch up any error messages.
>
> Are you still using packages you compiled yourself? Does your
> pam-selinux use getseuserbyname?
>
> > BTW, unprivileged user mapped to user_u could log in with default user_u
> > at the login prompt.
>
> That sounds correct to me; mapping a linux user to user_u means they
> should log in as user_u.
>
> > Moreover, if harry picks up other roles than staff_r, say sysadm_r, then
> > it can log in locally at the login prompt, and sysadm_r would fail to
> > newrole to staff_r although newrole seems to have exited uneventfully.
>
> Not clear why this is happening; the policy certainly allows this.
>
> [...]
> > 1, why /home/harry labeled as "user_u" rather than "staff_u"?
> > [root/sysadm_r/s0 at d610-2 ~]# tty
> > /dev/console
> > [root/sysadm_r/s0 at d610-2 ~]# ls -Z `tty`
> > crw--w---- root tty root:object_r:console_device_t:s0 /dev/console
> > [root/sysadm_r/s0 at d610-2 ~]# semanage login -l
> >
> > Login Name SELinux User MLS/MCS Range
> >
> > __default__ user_u s0
> > harry staff_u s0-s15:c0.c255
> > root root s 0-s15:c0.c255
> > system_u system_u s0-s15:c0.c255
> > [root/sysadm_r/s0 at d610-2 ~]# ssh harry at localhost
> > Password:
> > Last login: Wed Aug 12 20:23:00 2009 from localhost
> >
> > harry at d610-2:~$ id -Z
> > staff_u:staff_r:staff_t:s0-s15:c0.c255
> > harry at d610-2:~$ ls -Z /home | grep harry
> > drwxr-xr-x harry harry user_u:object_r:user_home_dir_t:s0-s15:c0.c255 harry
> > harry at d610-2:~$
> >
> > 2, why the staff user can't locally login with the default staff_r?
> > d610-2 login: harry
> > Pa ssword:
> > Default Security Context staff_u:staff_r:staff_t:s0-s15:c0.c255
> >
> > Would you like to enter a different role or level? [n] y
> > role: [staff_r] sysadm_r
> > level: [s0-s15:c0.c255]
> > Last login: Wed Aug 12 23:54:24 on console
> >
> > harry at d610-2:~$ id -Z
> > staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255
> > harry at d610-2:~$ newrole -r staff_r
> > Password: # newrole didn't fail, but
> > harry at d610-2:~$ id -Z # role remained as sysadm_r
> > staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255
> > harry at d610-2:~$ newrole -r secadm_r
> > Password:
> > harry at d610-2:~$ id -Z
> > staff_u:secadm_r:secadm_t:s0-s15:c0.c255<
> > br> harry at d610-2:~$
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
_________________________________________________________________
???????????????
http://www.microsoft.com/china/windows/windowslive/products/photos-share.aspx?tab=1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090813/473fed6a/attachment.html
On Thu, 2009-08-13 at 07:41 +0000, TaurusHarry wrote:
> this problem persists that local log harry in at the login prompt
> will fail with the default role of staff_r. The fact that assuming
> other roles than staff_r would successfully login makes me wonder that
> staff_t may l ack necessary permission during login, then I found
> below AVC denied messages from the audit log:
[...]
> type=AVC msg=audit(1250185345.048:1115): avc: denied { read write }
> for pid=3762 comm="bash" name="console" dev=sda1 ino=8356
> scontext=staff_u:staff_r:staff_t:s0-s15:c0.c255
> tcontext=staff_u:object_r:console_device_t:s0 tclass=chr_file
> [root/auditadm_r/s15:c0.c255 at d610-2 ~]#
>
> The above messages seem to be able to prove my guess that staff_t just
> has no enough permissions to the system console, and after I modified
> staff.te adding the call of term_use_console() interface for staff_t,
> the staff user "harry" could finally local log in with the d e fault
> staff_r role.
I mentioned this before; there is a Fedora patch for logging in at the
console which needs to be reevaluated for refpolicy inclusion.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150