pam_mkhomedir
by Vadym Chepkov
I started to work on a test case for selinux/winbind and found another unrelated issue with pam_mkhomedir. SELinux doesn't allow winbind user to create a home for himself and copy files from /etc/skel, I had to add the following rules into the local policy:
allow sshd_t user_home_dir_t:file { write create setattr };
unprivuser_home_filetrans_home_dir(sshd_t)
unprivuser_create_home_dir(sshd_t)
I searched bugzilla and it seems a related case was already filed (Bug 447096) against Fedora 9. I don't see an option to modify the bug and make it Fedora 10, which means after Fedora 11 is released it will be automatically closed without resolution like it has happened so many times in the past. Is the a way to keep a bug alive until it is actually resolved? Thanks.
Sincerely yours,
Vadym Chepkov
14 years, 10 months
Re: pam_mkhomedir
by Vadym Chepkov
--- On Sat, 6/6/09, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> We would prefer you to use pam_oddjob_mkhomedir.
That's not something I have selected, system tool did it on my behalf:
authconfig
--enablemkhomedir create home directories for users on their first login
This adds pam_mkhomedir into /etc/pam.d/system_auth.
> I do not think there is a way to get the bugzilla to move
> forward, without manual intervention.
And I would like to intervene, but as I said, I can't edit these fields in the bug, they are not available for editing.
Vadym
14 years, 10 months
Re: semodule
by Vadym Chepkov
--- On Fri, 6/5/09, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
>
> You should have gotten some pam_selinux log messages in
> /var/log/secure
> if you added the debug option and logged into the system
> again.
>
You should be able to see debug option I added in the sshd file I sent you.
No debug entries in /var/log/secure. Could it be that session call never gets out of pam_winbind, which is called in system-auth?
Vadym
14 years, 10 months
Re: semodule
by Vadym Chepkov
--- On Thu, 6/4/09, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> No idea how windbind woul change this.
>
But it does. Shall I submit bugzilla ticket about it?
Vadym
14 years, 10 months
Re: semodule
by Vadym Chepkov
--- On Fri, 6/5/09, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
>
> Can you append "debug" to the arguments to the latter
> instance of
> pam_selinux.so, e.g.:
> session required
> pam_selinux.so open env_params debug
>
> And then login again via ssh and look in /var/log/secure?
>
No changes at all, same error about ssh_selinux_setup_pty.
To answer your other post, I compared pam.d/sshd with freshly installed F10, they are identical. I am attaching both files in question.
Thank you for your help.
Sincerely yours,
Vadym Chepkov
14 years, 10 months
SELinux permissive domains in non-Fedora tree
by Ted Rule
I was much cheered last year to see Dan's permissive domains feature
make it into the Fedora Policy, as per his livejournal article:
http://danwalsh.livejournal.com/24537.html
I had rather rashly hoped that this would make it into the main RedHat
tree quite quickly as it seems so very useful for testing new applications.
Sadly, it doesn't appear to exist in one of my CentOS5.3 instances
running these versions - at least "semanage --help" suggests that it's
not there, and I'm assuming
that CentOS5.3 is near enough in policy version to RHEL5 to show that
RHEL5 lacks the feature:
$ rpm -q policycoreutils selinux-policy-targeted kernel
policycoreutils-1.33.12-14.2.el5
selinux-policy-targeted-2.4.6-203.el5
kernel-2.6.18-92.el5
kernel-2.6.18-128.1.10.el5
but of course it does exist in my F10 instance running these:
$ rpm -q policycoreutils selinux-policy-targeted kernel
policycoreutils-2.0.57-14.fc10.i386
selinux-policy-targeted-3.5.13-38.fc10.noarch
kernel-2.6.27.9-159.fc10.i686
Is there a timescale for adding this feature to RHEL5, or will it have
to wait until RHEL6? Is there some sort of workaround to run the F10 policy
on a CentOS5 box to get the feature, or does that simply involve so many
version changes to umpteen other packages as to be a fruitless exercise?
--
Ted Rule
Director, Layer3 Systems Ltd
http://www.layer3.co.uk/
14 years, 11 months
SELinux questions NewSElinux user, New role, new domain
by Mohamed Aburowais
Hello,
I'm actually new to SELinux, I've done all the tutorials in the Fedora10 SELinux guide and also has an old book about SELinux which doesn't work well with the one in Fedora10.
I need a help in creating new policy and hope SELinux experts can in getting with SELinux, my current problems are:
1- I've created new SELinux user, example_u, using the command: semanage user -a -P user -R "user_r staff_r" example_u. it has been created, but when I mapped my user to it, and then log in from current user to example user and used the command id -Z , it shows example user is having the unconfine_u SELinux user, this is not the case when logging from remote ssh connection. The other concern is in /etc/selinux/targeted/context/users the new SELinux user example_u does not appear with these users with a file about it, but it is appeared when using semanage user -l .
2- I also need to create a totally new role, empty and then give this role may domains to enter, a main one for the user, and ones for the files.
3- Then I need to create new domain, actually I know about how to make the .fc and .te files (not fully about .te), but with the .if I know a bit, but can I get more information about making this and then deploying it.
Thank you very much.
_________________________________________________________________
Get the best of MSN on your mobile
http://clk.atdmt.com/UKM/go/147991039/direct/01/
14 years, 11 months
Re: semodule
by Vadym Chepkov
> also check /etc/pam.d/system-auth
Unexpected, but yes, you were right, when I disabled winbind it worked as expected, but I need winbind enabled. I thought having pam_selinux as a first and last session rule should be sufficient. what's wrong with my config then?
$ cat /etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
$ cat /etc/pam.d/system-auth
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth sufficient pam_winbind.so
auth required pam_deny.so
account sufficient pam_unix.so
account required pam_winbind.so
password required pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session sufficient pam_unix.so
session required pam_winbind.so
Sincerely yours,
Vadym Chepkov
14 years, 11 months
Usage of /usr/share/selinux/packages
by KaiGai Kohei
In the latest selinux-policy package, I could find an empty directory
at /usr/share/selinux/packages .
What is the purpose? Is it intended to store policy packages installed
by other RPMs (such as mod_selinux)?
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
14 years, 11 months