RE: New user

["Karl MacMillan" <kmacmillan tresys com>]

> -----Original Message-----
> From: fedora-selinux-list-bounces redhat com [mailto:fedora-selinux-list-
> bounces redhat com] On Behalf Of Bob Gustafson
> Sent: Monday, May 24, 2004 2:33 PM
> To: t pitt eris qinetiq com; Fedora SELinux support list for users &
> developers.
> Subject: Re: New user
> 
> Some added information
> 
>   [root hoho2 user1]# ls -lZ /etc/security/selinux/src/policy/policy.conf
> -rw-r--r--+ root     root
>   system_u:object_r:policy_src_t
> /etc/security/selinux/src/policy/policy.conf
> 
>   [root hoho2 user1]# cat /proc/version
>   Linux version 2.6.6-1.377smp (bhcompile tweety build redhat com) (gcc
> version 3.3.3 20040412 (Red Hat
>   Linux 3.3.3-7)) #1 SMP Sat May 22 15:16:37 EDT 2004
> 
>   [root hoho2 user1]# which seuser
>   /usr/bin/seuser
> 
>   [root hoho2 user1]# ls -lZ /usr/bin/seuser -rwxr-xr-x+ root     root
> system_u:object_r:bin_t
>   /usr/bin/seuser
>   [root hoho2 user1]#
> 

This is part of the problem - seuser runs in its own domain so the binary
needs to be labeled seuser_exec_t. Unfortunately it looks like seuser is
quite broken on FC2. You can fix it by:

1) mv /etc/security/selinux/src/policy/domains/program/unused/seuser.te to
etc/security/selinux/src/policy/domains/program/seuser.te.

2) edit /etc/security/selinux/src/policy/file_contexts/programs/seuser.fc
changing "/usr/apol/seuser.conf" to "/usr/share/setools/seuser.conf".

3) remake and reload the policy.

4) run restorecon on /usr/bin/seuser and /usr/share/setools/seuser.conf

This should make seuser behave properly. I'm not certain what is going on
with the outdated fc file - we currently generate that file in our
distribution of setools, but had been accidentally included an outdated
version with the source. Probably someone just copied that old file
(understandably). Hopefully we can get some of these fixes pushed out as an
update - is the appropriate process to enter a bugzilla case with a patch?

Karl

Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134

> ------- previously sent a minute or so ago --
> 
> You are further along ..
> 
> I get
> 
>   [root hoho2 user1]# date
>   Mon May 24 13:16:52 CDT 2004
>   [root hoho2 user1]# seuser show users
>   Could not open policy.conf file
>   [root hoho2 user1]#
> 
> I have FC2 installed clean with all updates (incl development) to this
> moment (except for ppp - which is having a problem independent of
> selinux).
> 
> Booting with kernel boot parame 'selinux=1 enforcing=0' (not enforce=0..)
> The boot was done just after a run of '/sbin/fixfiles relabel' at init
> level 1.
> 
> BobG
> 
> 
> On Mon, 24 May 2004 16:13:48 +0100, Anthony Pitt wrote:
> >Hi there,
> >	I hope you can help. I've just installed 'Fedora COre2', with
> Selinux
> >enabled.
> >Using 'seuser' I created a new 'defined' selinux user, with user_r role
> >only. I also created the users /home/* directory under the same process.
> >I'm using the 'gnome' window manager interface.
> >Now when I try to log on with this new user, I get all sorts of errors to
> >do with the users environment, eventually allowing me a blank interface,
> >with 'right-click' functionality only.
> >Any ideas?
> >Tony.
> >
> >----------------------------------------------------------------------
> >A D Pitt                            Ph:+44(0)1684 895757
> >Rm B006 Woodward Building           Fax:+44(0)1684 896660
> >QinetiQ
email:t pitt eris qinetiq com
> >Malvern Technology Centre,
> >St Andrews Road
> >Malvern
> >Worcs.
> >WR14 3PS
> >
> >URL:http://www.qinetiq.com/home_enterprise_security.html
> >--
> >fedora-selinux-list mailing list
> >fedora-selinux-list redhat com
> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list