SELinux: creating a per-user confined domain
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
SELinux: creating a per-user confined domain
by Roberto Sassu-2
::
Rate this Message:
|
|
|
Re: SELinux: creating a per-user confined domain
by Dominick Grift
::
Rate this Message:
On Tue, Sep 15, 2009 at 03:57:45PM +0200, Roberto Sassu wrote:
> Hello all > > i'm new to SELinux. I'm trying to create per-user domains in a system running > Fedora 11 with the targeted policy enabled. The reason for that is that i need > to create transitions to different domains when users start the same > application. > I followed these steps: > - written my custom policy module(posted as attachment) in order to create new > roles user1_r, user2_r with the default domains user1_t and user2_t; > - added to the system new selinux users user1_u and user2_u; > - added to the system the new linux users user1 and user2; > - associated user1 with user1_u and user2 with user2_u; > - labeled home directories respectively with types user1_home_t and > user2_home_t > - created the two files user1_u and user2_u in > /etc/selinux/targeted/contexts/users; > > Then i tried to connect in local to the ssh server from root to the user1 but > it rejected the connection with this log messages (but no AVC warnings): > > Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port > 53163 ssh2 > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation > failed > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to > query: Would you like to enter a security context? [N] > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get > valid context for user1 > Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened > for user user1 by (uid=0) > Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): > Authentication failure > Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: > security_compute_relabel: Invalid argument > > If putting the system in permissive mode the connection was successful but the > security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023 > Any suggestions? Thanks in advance. > > > policy_module(usermod,1.0.0) > > > userdom_base_user_template(user1) > userdom_base_user_template(user2) > > > access_to_home(user1) > access_to_home(user2) > > ## <summary></summary> > > interface(`access_to_home',` > require { > type home_root_t; > type local_login_t, fs_t, proc_t, sshd_t; > } > > type $1_home_t; > > type_transition $1_t $1_home_t:{file dir} $1_home_t; > > allow local_login_t $1_home_t:dir search; > allow $1_t $1_home_t:dir { write search read create open getattr add_name }; > allow $1_t $1_home_t:file { read write create open getattr append }; > allow $1_t home_root_t:dir { search read open getattr }; > allow $1_home_t fs_t:filesystem associate; > allow $1_t proc_t:file { read open }; > allow sshd_t $1_home_t:dir search; > ') > > /home/user1(/.*)? gen_context(user1_u:object_r:user1_home_t,s0) > /home/user2(/.*)? gen_context(user2_u:object_r:user2_home_t,s0) > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux Roles > > guest_u user s0 s0 guest_r > root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r > staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r > sysadm_u user s0 s0-s0:c0.c1023 sysadm_r > system_u user s0 s0-s0:c0.c1023 system_r > unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r > user1_u user1 s0 s0 user1_r > user2_u user2 s0 s0 user2_r > user4 user s0 s0 user_r > user_u user s0 s0-s0:c0.c1023 user_r > xguest_u user s0 s0 xguest_r > > Login Name SELinux User MLS/MCS Range > > __default__ unconfined_u s0-s0:c0.c1023 > root unconfined_u s0-s0:c0.c1023 > system_u system_u s0-s0:c0.c1023 > test1 user_u s0 > user1 user1_u s0 > user2 user2_u s0 > user4 user_u s0 My second thought is that it may have to do with your exotic home dir solution. I would not do that because it may require lots of policy and the results may not be so beneficial. > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: SELinux: creating a per-user confined domain
by Dominick Grift
::
Rate this Message:
On Tue, Sep 15, 2009 at 03:57:45PM +0200, Roberto Sassu wrote:
> Hello all > > i'm new to SELinux. I'm trying to create per-user domains in a system running > Fedora 11 with the targeted policy enabled. The reason for that is that i need > to create transitions to different domains when users start the same > application. > I followed these steps: > - written my custom policy module(posted as attachment) in order to create new > roles user1_r, user2_r with the default domains user1_t and user2_t; > - added to the system new selinux users user1_u and user2_u; > - added to the system the new linux users user1 and user2; > - associated user1 with user1_u and user2 with user2_u; > - labeled home directories respectively with types user1_home_t and > user2_home_t > - created the two files user1_u and user2_u in > /etc/selinux/targeted/contexts/users; > > Then i tried to connect in local to the ssh server from root to the user1 but > it rejected the connection with this log messages (but no AVC warnings): > > Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 port > 53163 ssh2 > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): conversation > failed > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No response to > query: Would you like to enter a security context? [N] > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to get > valid context for user1 > Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session opened > for user user1 by (uid=0) > Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): > Authentication failure > Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: > security_compute_relabel: Invalid argument > > If putting the system in permissive mode the connection was successful but the > security context after login was: system_u:system_r:unconfined_t:s0-s0:c0.c1023 > Any suggestions? Thanks in advance. > > > policy_module(usermod,1.0.0) > > > userdom_base_user_template(user1) > userdom_base_user_template(user2) > > > access_to_home(user1) > access_to_home(user2) > > ## <summary></summary> > > interface(`access_to_home',` > require { > type home_root_t; > type local_login_t, fs_t, proc_t, sshd_t; > } > > type $1_home_t; > > type_transition $1_t $1_home_t:{file dir} $1_home_t; > > allow local_login_t $1_home_t:dir search; > allow $1_t $1_home_t:dir { write search read create open getattr add_name }; > allow $1_t $1_home_t:file { read write create open getattr append }; > allow $1_t home_root_t:dir { search read open getattr }; > allow $1_home_t fs_t:filesystem associate; > allow $1_t proc_t:file { read open }; > allow sshd_t $1_home_t:dir search; > ') > > /home/user1(/.*)? gen_context(user1_u:object_r:user1_home_t,s0) > /home/user2(/.*)? gen_context(user2_u:object_r:user2_home_t,s0) > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux Roles > > guest_u user s0 s0 guest_r > root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r > staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r > sysadm_u user s0 s0-s0:c0.c1023 sysadm_r > system_u user s0 s0-s0:c0.c1023 system_r > unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r > user1_u user1 s0 s0 user1_r > user2_u user2 s0 s0 user2_r > user4 user s0 s0 user_r > user_u user s0 s0-s0:c0.c1023 user_r > xguest_u user s0 s0 xguest_r > > Login Name SELinux User MLS/MCS Range > > __default__ unconfined_u s0-s0:c0.c1023 > root unconfined_u s0-s0:c0.c1023 > system_u system_u s0-s0:c0.c1023 > test1 user_u s0 > user1 user1_u s0 > user2 user2_u s0 > user4 user_u s0 Also if you doo not see avc denials try: semodule -DB / -B to show/hide silenced denials Also keep an eye on messages for DBUS denials. > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: SELinux: creating a per-user confined domain
by Daniel J Walsh
::
Rate this Message:
|
|
|
Re: SELinux: creating a per-user confined domain
by Roberto Sassu
::
Rate this Message:
|
|
|
Re: SELinux: creating a per-user confined domain
by Dominick Grift
::
Rate this Message:
On Tue, Sep 15, 2009 at 08:30:43PM +0200, Roberto Sassu wrote:
> Thanks all for replies. > I have modified the policy by using the template > userdom_unpriv_user_template() and everything is ok. > Talking about different labels for each home directory i'm not sure but if > all users domains have access to the default type user_home_dir_t > access control on files under /home will be based on DAC mechanism. > My effort is focused on trying to evaluate if it is possible with SELinux to > protect files using as criteria for access decision the combination user > identity-application-identity. > For example i want to protect the user's private key allowing the access > only to the program "ssh" ran by the user "user1". > In my policy i created the domain "user1_t" which is set by the login > program when "user1" logs in the system. Then i called the interface > ssh_basic_client_template(user1, user1_t, user1_r) which creates the derived > domain user1_ssh_t at the time user1 executes the "ssh" command. The file > $home/.ssh/id_rsa could be labeled with a unique label and a specific rule > can be added to allow only the user1_ssh_t domain to read the key. > Denying to users the ability to set security contexts, does this policy > create a separation between the ssh application and the others ran by the > same user? You could however implement similar functionality by using per role template but existing domains would have to be modified what a per role template does is create types derrived from the user domain prefix so $1_ssh_t, $1_ssh_home_t and thenlets you define rules like: allow $1_ssh_t $1_ssh_home_t:file read > > > > > > > > On Tue, Sep 15, 2009 at 5:40 PM, Daniel J Walsh <dwalsh@...> wrote: > > > On 09/15/2009 09:57 AM, Roberto Sassu wrote: > > > Hello all > > > > > > i'm new to SELinux. I'm trying to create per-user domains in a system > > running > > > Fedora 11 with the targeted policy enabled. The reason for that is that i > > need > > > to create transitions to different domains when users start the same > > > application. > > > I followed these steps: > > > - written my custom policy module(posted as attachment) in order to > > create new > > > roles user1_r, user2_r with the default domains user1_t and user2_t; > > > - added to the system new selinux users user1_u and user2_u; > > > - added to the system the new linux users user1 and user2; > > > - associated user1 with user1_u and user2 with user2_u; > > > - labeled home directories respectively with types user1_home_t and > > > user2_home_t > > > - created the two files user1_u and user2_u in > > > /etc/selinux/targeted/contexts/users; > > > > > > Then i tried to connect in local to the ssh server from root to the user1 > > but > > > it rejected the connection with this log messages (but no AVC warnings): > > > > > > Sep 15 15:39:19 seclab05 sshd[5014]: Accepted password for user1 from ::1 > > port > > > 53163 ssh2 > > > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): > > conversation > > > failed > > > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): No > > response to > > > query: Would you like to enter a security context? [N] > > > Sep 15 15:39:19 seclab05 sshd[5014]: pam_selinux(sshd:session): Unable to > > get > > > valid context for user1 > > > Sep 15 15:39:19 seclab05 sshd[5014]: pam_unix(sshd:session): session > > opened > > > for user user1 by (uid=0) > > > Sep 15 15:39:19 seclab05 sshd[5014]: error: PAM: pam_open_session(): > > > Authentication failure > > > Sep 15 15:39:19 seclab05 sshd[5014]: error: ssh_selinux_setup_pty: > > > security_compute_relabel: Invalid argument > > > > > > If putting the system in permissive mode the connection was successful > > but the > > > security context after login was: > > system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > Any suggestions? Thanks in advance. > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list@... > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > You probably need to create /etc/selinux/targeted/context/user1 and user2 > > > > Base these off of xguest > > > > I am not crazy about having home content variable between users, I think > > this is a waste of time. Others disagree. > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@... > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
attachment0 (205 bytes) | Free embeddable forum powered by Nabble | Forum Help |
