From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 12 Aug 2009 08:55:04 -0400 Subject: [refpolicy] Questions about the staff_u user in refpolicy-20081210 In-Reply-To: References: Message-ID: <1250081706.27712.46.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2009-08-12 at 09:26 +0000, TaurusHarry wrote: > I've got some more questions about refpolicy-20081210 with MLS enabled, > the machine is i686 32-bit and I am logging in through serial console > which in turn is mapped to the system console. > > I have created a staff_u user named "harry" and set up his home directory > properly, why /home/harry/ directory is labeled as "user_u" rather than > "staff_u"? What do you mean by "set up his home directory"? How is the directory labeled after a restorecon? > The more interesting thing is, I could log harry in by ssh either from > localhost or from another remote machine, harry could log in with > the "staff_u:staff_r:staff_t" context properly. However, I am unable to > log in with harry locally at the login prompt with the default staff_r role, > the mingetty program seems to have exited abnormally, but the screen has > flashed too quickly to catch up any error messages. Are you still using packages you compiled yourself? Does your pam-selinux use getseuserbyname? > BTW, unprivileged user mapped to user_u could log in with default user_u > at the login prompt. That sounds correct to me; mapping a linux user to user_u means they should log in as user_u. > Moreover, if harry picks up other roles than staff_r, say sysadm_r, then > it can log in locally at the login prompt, and sysadm_r would fail to > newrole to staff_r although newrole seems to have exited uneventfully. Not clear why this is happening; the policy certainly allows this. [...] > 1, why /home/harry labeled as "user_u" rather than "staff_u"? > [root/sysadm_r/s0 at d610-2 ~]# tty > /dev/console > [root/sysadm_r/s0 at d610-2 ~]# ls -Z `tty` > crw--w---- root tty root:object_r:console_device_t:s0 /dev/console > [root/sysadm_r/s0 at d610-2 ~]# semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ user_u s0 > harry staff_u s0-s15:c0.c255 > root root s 0-s15:c0.c255 > system_u system_u s0-s15:c0.c255 > [root/sysadm_r/s0 at d610-2 ~]# ssh harry at localhost > Password: > Last login: Wed Aug 12 20:23:00 2009 from localhost > > harry at d610-2:~$ id -Z > staff_u:staff_r:staff_t:s0-s15:c0.c255 > harry at d610-2:~$ ls -Z /home | grep harry > drwxr-xr-x harry harry user_u:object_r:user_home_dir_t:s0-s15:c0.c255 harry > harry at d610-2:~$ > > 2, why the staff user can't locally login with the default staff_r? > d610-2 login: harry > Pa ssword: > Default Security Context staff_u:staff_r:staff_t:s0-s15:c0.c255 > > Would you like to enter a different role or level? [n] y > role: [staff_r] sysadm_r > level: [s0-s15:c0.c255] > Last login: Wed Aug 12 23:54:24 on console > > harry at d610-2:~$ id -Z > staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255 > harry at d610-2:~$ newrole -r staff_r > Password: # newrole didn't fail, but > harry at d610-2:~$ id -Z # role remained as sysadm_r > staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255 > harry at d610-2:~$ newrole -r secadm_r > Password: > harry at d610-2:~$ id -Z > staff_u:secadm_r:secadm_t:s0-s15:c0.c255< > br> harry at d610-2:~$ -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150