From: harrytaurus2002@hotmail.com (TaurusHarry)
Date: Thu, 13 Aug 2009 07:41:06 +0000
Subject: [refpolicy] Questions about the staff_u user in
 refpolicy-20081210
In-Reply-To: <1250081706.27712.46.camel@gorn>
References: <COL109-W29898F923D79B009B9E16FAB040@phx.gbl>
	<1250081706.27712.46.camel@gorn>
Message-ID: <COL109-W124DA46FBF921A2DCDB86DAB050@phx.gbl>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


Hi Chris,

I've made a mistake, the staff_u user "harry"'s home directory does have been labeled as "staff_u" after genhomedircon and restorecon, and the newly created file or directory would be labeled as "staff_u" too:

harry at d610-2:~$ ls -Z /home | grep harry
drwx------  harry harry staff_u:object_r:user_home_dir_t:s0-s15:c0.c255 harry
harry at d610-2:~$ ls -Z
-rw-r--r--  harry harry system_u:object_r:user_home_t:s0 3
harry at d610-2:~$ touch 1
harry at d610-2:~$ mkdir 2
harry at d610-2:~$ ls -Z
-rw-r--r--  harry harry staff_u:object_r:user_home_t:s0  1
drwxr-xr-x  harry harry staff_u:object_r:user_home_t:s0  2
harry at d610-2:~$ 

I think the security contexts for /home/harry/* are correct. However, this problem persists that local log harry in at the login prompt will fail with the default role of staff_r. The fact that assuming other roles than staff_r would successfully login makes me wonder that staff_t may lack necessary permission during login, then I found below AVC denied messages from the audit log:

[root/auditadm_r/s15:c0.c255 at d610-2 ~]# ausearch -su staff_u:staff_r:staff_t:s0-s15:c0.c255 -c bash -f /dev/console
----
time->Thu Aug 13 17:42:25 2009
type=SYSCALL msg=audit(1250185345.048:1115): arch=40000003 syscall=11 success=yes exit=0 a0=8056528 a1=bfffd4d8 a2=8057fc0 a3=bfffd4ff items=0 ppid=3755 pid=3762 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=156 comm="bash" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s15:c0.c255 key=(null)
type=AVC msg=audit(1250185345.048:1115): avc:  denied  { read write } for  pid=3762 comm="bash" path="/dev/console" dev=sda1 ino=8356 scontext=staff_u:staff_r:staff_t:s0-s15:c0.c255 tcontext=staff_u:object_r:console_device_t:s0 tclass=chr_file
type=AVC msg=audit(1250185345.048:1115): avc:  denied  { read write } for  pid=3762 comm="bash" path="/dev/console" dev=sda1 ino=8356 scontext=staff_u:staff_r:staff_t:s0-s15:c0.c255 tcontext=staff_u:object_r:console_device_t:s0 tclass=chr_file
type=AVC msg=audit(1250185345.048:1115): avc:  denied  { read write } for  pid=3762 comm="bash" path="/dev/console" dev=sda1 ino=8356 scontext=staff_u:staff_r:staff_t:s0-s15:c0.c255 tcontext=staff_u:object_r:console_device_t:s0 tclass=chr_file
type=AVC msg=audit(1250185345.048:1115): avc:  denied  { read write } for  pid=3762 comm="bash" name="console" dev=sda1 ino=8356 scontext=staff_u:staff_r:staff_t:s0-s15:c0.c255 tcontext=staff_u:object_r:console_device_t:s0 tclass=chr_file
[root/auditadm_r/s15:c0.c255 at d610-2 ~]# 

The above messages seem to be able to prove my guess that staff_t just has no enough permissions to the system console, and after I modified staff.te adding the call of term_use_console() interface for staff_t, the staff user "harry" could finally local log in with the default staff_r role.

What's your comments on this? thanks!

Best regards,

Harry


> Subject: Re: [refpolicy] Questions about the staff_u user in refpolicy-20081210
> From: cpebenito at tresys.com
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss.tresys.com
> Date: Wed, 12 Aug 2009 08:55:04 -0400
> 
> On Wed, 2009-08-12 at 09:26 +0000, TaurusHarry wrote:
> > I've got some more questions about refpolicy-20081210 with MLS enabled, 
> > the machine is i686 32-bit and I am logging in through serial console 
> > which in turn is mapped to the system console.
> > 
> > I have created a staff_u user named "harry" and set up his home directory 
> > properly, why /home/harry/ directory is labeled as "user_u" rather than 
> > "staff_u"?
> 
> What do you mean by "set up his home directory"?  How is the directory
> labeled after a restorecon?
> 
> > The more interesting thing is, I could log harry in by ssh either from 
> > localhost or from another remote machine, harry could log in with 
> > the "staff_u:staff_r:staff_t" context properly. However, I am unable to 
> > log in with harry locally at the login prompt with the default staff_r role, 
> > the mingetty program seems to have exited abnormally, but the screen has
> > flashed too quickly to catch up any error messages.
> 
> Are you still using packages you compiled yourself?  Does your
> pam-selinux use getseuserbyname?
> 
> > BTW, unprivileged user mapped to user_u could log in with default user_u
> > at the login prompt.
> 
> That sounds correct to me; mapping a linux user to user_u means they
> should log in as user_u.
> 
> > Moreover, if harry picks up other roles than staff_r, say sysadm_r, then 
> > it can log in locally at the login prompt, and sysadm_r would fail to 
> > newrole to staff_r although newrole seems to have exited uneventfully.
> 
> Not clear why this is happening; the policy certainly allows this.
> 
> [...]
> > 1, why /home/harry labeled as "user_u" rather than "staff_u"?
> >    [root/sysadm_r/s0 at d610-2 ~]# tty
> >    /dev/console
> >    [root/sysadm_r/s0 at d610-2 ~]# ls -Z `tty`       
> >    crw--w----  root tty root:object_r:console_device_t:s0 /dev/console
> >    [root/sysadm_r/s0 at d610-2 ~]# semanage login -l
> >    
> >    Login Name                SELinux User              MLS/MCS Range            
> >    
> >    __default__               user_u                    s0                       
> >    harry                     staff_u                   s0-s15:c0.c255           
> >    root                      root                      s 0-s15:c0.c255           
> >    system_u                  system_u                  s0-s15:c0.c255           
> >    [root/sysadm_r/s0 at d610-2 ~]# ssh harry at localhost
> >    Password: 
> >    Last login: Wed Aug 12 20:23:00 2009 from localhost
> >    
> >    harry at d610-2:~$ id -Z
> >    staff_u:staff_r:staff_t:s0-s15:c0.c255
> >    harry at d610-2:~$ ls -Z /home | grep harry
> >    drwxr-xr-x  harry harry user_u:object_r:user_home_dir_t:s0-s15:c0.c255 harry
> >    harry at d610-2:~$ 
> >    
> > 2, why the staff user can't locally login with the default staff_r?
> >    d610-2 login: harry
> >    Pa ssword: 
> >    Default Security Context staff_u:staff_r:staff_t:s0-s15:c0.c255
> >    
> >    Would you like to enter a different role or level? [n] y
> >    role: [staff_r] sysadm_r
> >    level: [s0-s15:c0.c255] 
> >    Last login: Wed Aug 12 23:54:24 on console
> >    
> >    harry at d610-2:~$ id -Z
> >    staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255
> >    harry at d610-2:~$ newrole -r staff_r
> >    Password:                    # newrole didn't fail, but
> >    harry at d610-2:~$ id -Z        # role remained as sysadm_r
> >    staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255
> >    harry at d610-2:~$ newrole -r secadm_r
> >    Password: 
> >    harry at d610-2:~$ id -Z
> >    staff_u:secadm_r:secadm_t:s0-s15:c0.c255<
> >  br>   harry at d610-2:~$ 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
> 

_________________________________________________________________
???????????????
http://www.microsoft.com/china/windows/windowslive/products/photos-share.aspx?tab=1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090813/473fed6a/attachment.html