Getting the user ID in log messages...

Levine, Daniel J. Daniel.Levine at jhuapl.edu
Thu Jun 10 14:50:36 UTC 2004 

I'm curious why the ypcat cron with a make reload would present its own
issues.  I guess it must be a security context issue since I'm new to it.

Is there a better alternative to visiting each machine manually and adding
the line to /etc/selinux/users (assuming that's where it is on my Fedora
Core 2 machine)?  I see there's something about local policy changes being
placed in /etc/security/selinux/src/policy/domains/misc/.   Can I also put a
users in there (or somewhere else).  If so, I suppose I could have a central
NFS auto-mounted location for my local users file.  So at boot time, I have
a nice sane policy (your default which maps all users to user user_u.  But
when everything is finished booting I have some additional information for
my users wherever you tell me to add it.  I guess my rc.local would then
need to perform a make reload to incorporate this additional information.
Would this be an easy and sustainable way to achieve what I want?

Do you have any better ideas?  I can't be the only person who wants to do
this, can I?  I feel like what I'm asking is not unreasonable.  Is SELinux
intended for single machines working in insecure environments?

Daniel J. Levine
Section Supervisor
Johns Hopkins University
Applied Physics Laboratory
443-778-3952 240-228-3952

-----Original Message-----
From: Russell Coker [mailto:russell at coker.com.au]
Sent: Thursday, June 10, 2004 9:46 AM
To: fedora-selinux-list at redhat.com
Cc: Levine, Daniel J.; Stephen Smalley
Subject: Re: Getting the user ID in log messages...

On Thu, 10 Jun 2004 22:17, "Levine, Daniel J." <Daniel.Levine at jhuapl.edu>
wrote:
> Thanks, I managed to figure that out from the "Getting Started with
SELinux
> HOWTO" from the adding a user section.  For a standalone system, I can see
> how this is no big deal.  Every time I add a user, I add the user to the
> /etc/selinux/users file.  But suppose I have 100 machines, I would need to
> add it to 100 systems.  This is why I use NIS to manage my password and
> shadow files.  I suppose one homegrown solution would be to put
> /etc/selinux/users into an NIS map (users.byname) and periodically (every
> half-hour perhaps) have a cron job perform a ypcat users.byname >
> /etc/selinux/users.  Is there a standard map one could use or a PAM module
> that's aware of such needs.

There is no standard way of doing this.  Maybe you will set the standard if
you do it first!  ;)

Having a cron job automatically generate and load a SE Linux policy has it's
own issues as well.

> Suppose I wasn't using something as old as NIS, like OpenLDAP, is there a
> standard mechanism for putting this information into its databases?  And
if
> not, should there be one?

Probably there should.  But we'll need to get an OID assigned for this.

> Perhaps my problem is simpler to solve than this.  All I really need is
the
> user ID of the person who logged in to the system.  This identifies whose
> account was used to perpetrate the illegal access.  Could the user ID
> number and user name be added to the log messages when violations occur?

At the moment no.  Maybe this is something for the audit facility rather
than
SE Linux kernel code.

--
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the fedora-selinux-list mailing list