[DSE-User] mapping of linux users to selinux users fails on login
Philip Tricca
phil at noggle.biz
Mon Nov 5 17:22:26 UTC 2007
All,
I'm setting up a new lenny system with enforcing policy and my mapping
of Linux users to SELinux users is failing on user login. There's
excellent documentation from Gentoo on using semanage to map logins
appropriately and I'm following this from here:
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=4
For policy development I want a regular user (call him bob) that's in
the staff_r and sysadm_r roles so that I can be in an unprivileged role
when modifying policy files and in the sysadm_r role when I need to load
policy / relabel files. I've set this up previously on Fedora and
Debian systems by using semanage like so:
semanage login -a -s staff_u bob
restorecon /home/bob
Currently this appears to update the selinux data store correctly
(semanage login -l output looks right) and bobs homedir is relabeled
correctly (staff_u:object_r:staff_home_dir_t) however when bob logs in
he is still in the default user_u:user_r:user_t domain and not in the
expected staff_u:staff_r:staff_t domain.
I have set up the /etc/pam.d/login file as per the selinux wiki and
receive no avc messages beyond the expected denials form having a shell
starting in user_t attempting to access files from a homedir labeled
staff_t.
I'm at a bit of a loss as to where to start looking for the problem as
everything seems to work correctly up to the transition done by login
(but that's just me guessing based on my observations noted above). I
had done exactly this on a lenny system (strict) not too long ago.
Either I've forgot a necessary step or something has broken (I'm hoping
it's not the latter).
Any suggestions would be much appreciated.
- Philip
More information about the Selinux-user
mailing list