Re: New user - Not yet

[Richard Hally <rhally mindspring com>]

Bob Gustafson wrote:

> I think I followed your instructions, but got the same result as before.
> Maybe you can see where I went wrong.
>
> This is my 'audit tape'
>
> [root hoho2 init.d]# cd /etc/security/selinux/src/policy
> [root hoho2 policy]# ls -l | grep drw
> drwx------  2 root root    4096 May 22 23:49 appconfig
> drwx------  4 root root    4096 May 22 23:49 domains
> drwxr-xr-x  4 root root    4096 May 22 23:50 file_contexts
> drwx------  2 root root    4096 May 22 23:49 flask
> drwx------  3 root root    4096 May 22 23:49 macros
> drwxr-xr-x  2 root root    4096 May 22 23:49 tmp
> drwx------  2 root root    4096 May 22 23:49 types
>
> [root hoho2 policy]# cd domains/program
> [root hoho2 program]# ls -l
> total 1460
> ,,,
> -rw-------  1 root root   349 May 11 10:03 screensaver.te
> -rw-------  1 root root   357 May 11 10:03 screen.te
> -rw-------  1 root root  3645 May 11 10:03 sendmail.te
> -rw-------  1 root root  2093 May 11 10:03 setfiles.te
> -rw-------  1 root root  1630 May 11 10:03 slapd.te
> ...
>
> Not here - as expected.
>
> [root hoho2 program]#
>
> [root hoho2 program]# ls -l unused
> total 76
> -rw-------  1 root root 13362 May 11 10:03 dpkg.te
> -rw-------  1 root root  1621 May 11 10:03 gatekeeper.te
> -rw-------  1 root root  7550 May 11 10:03 qmail.te
> -rw-------  1 root root  5283 May 11 10:03 seuser.te
> -rw-------  1 root root  1825 May 11 10:03 tinydns.te
> -rw-------  1 root root  1184 May 11 10:03 uml_net.te
> -rw-------  1 root root  2021 May 11 10:03 xprint.te
>
> Step 1 - mv
>
> [root hoho2 program]# mv unused/seuser.te .
> [root hoho2 program]#
>
> [root hoho2 program]# ls -l se*
> -rw-------  1 root root 3645 May 11 10:03 sendmail.te
> -rw-------  1 root root 2093 May 11 10:03 setfiles.te
> -rw-------  1 root root 5283 May 11 10:03 seuser.te
>
> Now it is there
>
> [root hoho2 program]#
>
>
> [root hoho2 program]# cd ..
> [root hoho2 domains]# cd ..
> [root hoho2 policy]# cd file_contexts
> [root hoho2 file_contexts]# ls
> file_contexts  misc  program  types.fc
>
> [root hoho2 file_contexts]# cd programs
> bash: cd: programs: No such file or directory
>
> [root hoho2 file_contexts]# cd program
> [root hoho2 program]# pwd
> /etc/security/selinux/src/policy/file_contexts/program
>
> [root hoho2 program]# vim seuser.fc
>
> Step 2 - edit
>
> [root hoho2 program]# cat seuser.fc
> # seuser
> /usr/bin/seuser system_u:object_r:seuser_exec_t
> /usr/share/setools/seuser.conf system_u:object_r:seuser_conf_t
>
> [root hoho2 program]# cd /usr/share/setools
> [root hoho2 setools]# ls -l seuser*
> -rw-r--r--  1 root root 1808 Apr 19 19:50 seuser.conf
> -rw-r--r--  1 root root 8980 Apr 19 19:50 seuser_help.txt
> [root hoho2 setools]#
>
> Step 3 - remake and reload
>
> [root hoho2 program]# cd /etc/security/selinux/src/policy
>
> [root hoho2 policy]# make 2>&1 | tee make.out
> ...
> ...
>  > policy.conf.tmp
> mv policy.conf.tmp policy.conf
> mkdir -p /etc/security/selinux
> /usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> security:  5 users, 7 roles, 1252 types, 1 bools
> security:  30 classes, 305363 rules
> /usr/bin/checkpolicy:  policy configuration loaded
> /usr/bin/checkpolicy:  writing binary representation (version 17) to
> /etc/security/selinux/policy.17
> Building file_contexts ...
> install -m 644 file_contexts/file_contexts /etc/security/selinux/file_contexts
>
>
> [root hoho2 policy]# make reload 2>&1 | tee reload.out
> /usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers`
> touch tmp/load
> [root hoho2 policy]#
>
> [root hoho2 setools]# cd /etc/security/selinux
> [root hoho2 selinux]# ls -l
> total 29196
> -rw-r--r--  1 root root   87206 May 24 20:12 file_contexts
> -rw-r--r--  1 root root   88310 May 11 10:03 file_contexts.rpmnew
> -rw-r--r--  1 root root 7383775 May 20 21:37 policy.15.rpmsave
> -rw-r--r--  1 root root 7385512 May 20 21:37 policy.16.rpmsave
> -rw-r--r--  1 root root 7434273 May 24 20:12 policy.17
> -rw-r--r--  1 root root 7409751 May 11 10:03 policy.17.rpmnew
> drwx------  3 root root    4096 May 11 10:03 src
> [root hoho2 selinux]#
>
> policy.17 seems to have changed as expected
>
> Setp 4 - run restorecon
>
> [root hoho2 policy]# /sbin/restorecon -v /usr/bin/seuser
> /sbin/restorecon set context /usr/bin/seuser->system_u:object_r:seuser_exec_t
>
> [root hoho2 policy]# /sbin/restorecon -v /usr/share/setools/seuser.conf
> /sbin/restorecon set context
> /usr/share/setools/seuser.conf->system_u:object_r:seuser_conf_t
> [root hoho2 policy]#
>
> Step 5 - test
>
> [root hoho2 policy]# which seuser
> /usr/bin/seuser
>
> [root hoho2 policy]# date
> Mon May 24 20:26:29 CDT 2004
>
> [root hoho2 policy]# seuser show users
> Could not open policy.conf file
> [root hoho2 policy]# seuser show
> Could not open policy.conf file
>
> Step 6 - extra information ?
>
> [root hoho2 policy]#
> [root hoho2 policy]# ls -l /usr/bin/seuser
> -rwxr-xr-x  1 root root 106960 Apr 19 19:50 /usr/bin/seuser
> [root hoho2 policy]#
>
>
> On Mon, 24 May 2004 17:33:24 -0400, Kerl MacMillan wrote:
>
> > > -----Original Message-----
> > > From: fedora-selinux-list-bounces redhat com [mailto:fedora-selinux-list-
> > > bounces redhat com] On Behalf Of Bob Gustafson
> > > Sent: Monday, May 24, 2004 2:33 PM
> > > To: t pitt eris qinetiq com; Fedora SELinux support list for users &
> > > developers.
> > > Subject: Re: New user
> > >
> > > Some added information
> > >
> > >  [root hoho2 user1]# ls -lZ /etc/security/selinux/src/policy/policy.conf
> > > -rw-r--r--+ root     root
> > >  system_u:object_r:policy_src_t
> > > /etc/security/selinux/src/policy/policy.conf
> > >
> > >  [root hoho2 user1]# cat /proc/version
> > >  Linux version 2.6.6-1.377smp (bhcompile tweety build redhat com) (gcc
> > > version 3.3.3 20040412 (Red Hat
> > >  Linux 3.3.3-7)) #1 SMP Sat May 22 15:16:37 EDT 2004
> > >
> > >  [root hoho2 user1]# which seuser
> > >  /usr/bin/seuser
> > >
> > >  [root hoho2 user1]# ls -lZ /usr/bin/seuser -rwxr-xr-x+ root     root
> > > system_u:object_r:bin_t
> > >  /usr/bin/seuser
> > >  [root hoho2 user1]#
> >
> > This is part of the problem - seuser runs in its own domain so the binary
> > needs to be labeled seuser_exec_t. Unfortunately it looks like seuser is
> > quite broken on FC2. You can fix it by:
> >
> > 1) mv /etc/security/selinux/src/policy/domains/program/unused/seuser.te to
> > etc/security/selinux/src/policy/domains/program/seuser.te.
> >
> > 2) edit /etc/security/selinux/src/policy/file_contexts/programs/seuser.fc
> > changing "/usr/apol/seuser.conf" to "/usr/share/setools/seuser.conf".
> >
> > 3) remake and reload the policy.
> >
> > 4) run restorecon on /usr/bin/seuser and /usr/share/setools/seuser.conf
> >
> > This should make seuser behave properly. I'm not certain what is going on
> > with the outdated fc file - we currently generate that file in our
> > distribution of setools, but had been accidentally included an outdated
> > version with the source. Probably someone just copied that old file
> > (understandably). Hopefully we can get some of these fixes pushed out as an
> > update - is the appropriate process to enter a bugzilla case with a patch?
> >
> > Karl
> >
> > Karl MacMillan
> > Tresys Technology
> > http://www.tresys.com
> > (410)290-1411 ext 134
> >
> >
> > > ------- previously sent a minute or so ago --
> > >
> > > You are further along ..
> > >
> > > I get
> > >
> > >  [root hoho2 user1]# date
> > >  Mon May 24 13:16:52 CDT 2004
> > >  [root hoho2 user1]# seuser show users
> > >  Could not open policy.conf file
> > >  [root hoho2 user1]#
> > >
> > > I have FC2 installed clean with all updates (incl development) to this
> > > moment (except for ppp - which is having a problem independent of
> > > selinux).
> > >
> > > Booting with kernel boot parame 'selinux=1 enforcing=0' (not enforce=0..)
> > > The boot was done just after a run of '/sbin/fixfiles relabel' at init
> > > level 1.
> > >
> > > BobG
> > >
> > >
> > > On Mon, 24 May 2004 16:13:48 +0100, Anthony Pitt wrote:
> > >
> > > > Hi there,
> > > > 	I hope you can help. I've just installed 'Fedora COre2', with
> > >
> > > Selinux
> > >
> > > > enabled.
> > > > Using 'seuser' I created a new 'defined' selinux user, with user_r role
> > > > only. I also created the users /home/* directory under the same process.
> > > > I'm using the 'gnome' window manager interface.
> > > > Now when I try to log on with this new user, I get all sorts of errors to
> > > > do with the users environment, eventually allowing me a blank interface,
> > > > with 'right-click' functionality only.
> > > > Any ideas?
> > > > Tony.
> > > >
> > > > ----------------------------------------------------------------------
> > > > A D Pitt                            Ph:+44(0)1684 895757
> > > > Rm B006 Woodward Building           Fax:+44(0)1684 896660
> > > > QinetiQ
> >
> > email:t pitt eris qinetiq com
> >
> > > > Malvern Technology Centre,
> > > > St Andrews Road
> > > > Malvern
> > > > Worcs.
> > > > WR14 3PS
> > > >
> > > > URL:http://www.qinetiq.com/home_enterprise_security.html
> > > > --
> > > > fedora-selinux-list mailing list
> > > > fedora-selinux-list redhat com
> > > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > >
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list redhat com
> > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list redhat com
> > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
I found one more step to be done. You need to edit 
/usr/share/setools/seuser.conf and change the line for policy.conf to
/etc/security/selinux/src/policy/policy.conf

i.e adding the /policy/ after src
HTH
Richard Hally