Previous Entry Share Next Entry
Using RBAC In FC5/MLS Policy
Setting up an RBAC account in MLS is a multi step process.

By default all accounts on a MLS machine except for the root account, use the user_u SELinux user. The root account uses the root user. If you want to take advantage of the RBAC controls you need to do the following steps. For this example I will establish user dwalsh and allow him to be in the staff role and the auditor role.

First you want to setup a login account

# useradd dwalsh
# passwd dwalsh

MLS policy does not come with an SELinux audit user so we need to create one.

# semanage user -a -R staff_r -R auditadm_r -P staff audit_u

This command will create a new "SELinux" user named audit_u. This SELinux user has two roles staff_r and audit_r. I also setup the default user prefix to be staff. The default user prefix is used to label the users homedirs.

Now we want to setup a mapping between the Linux user "dwalsh" and the SELinux user "audit_u".

# semanage login -a -s audit -r SystemLow-SystemHigh dwalsh

Note, I have also setup the default range for dwalsh to be from SystemLow to SystemHigh. Since
audit runs as SystemHigh, I need to have this range.

Finally I need to relabel my homedir since I have changed the default prefix from user to staff.

# restorecon -R -v ~dwalsh

I should now be able to login to my account.

login: dwalsh
Password: xxxxxxx

> id -Z

> su

# newrole -r sysadm_r
Authenticating dwalsh.
audit:sysadm_r:sysadm_t:SystemLow-SystemHigh is not a valid context

# newrole -r auditadm_r -l SystemHigh
Authenticating dwalsh.

# id -Z

# /sbin/auditctl -l
LIST_RULES: entry,always syscall=setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
LIST_RULES: entry,always syscall=mknod
LIST_RULES: entry,always syscall=mount
LIST_RULES: entry,always syscall=settimeofday,adjtimex
LIST_RULES: exit,always watch=/var/log/audit (0xe) syscall=open,creat,link,unlink,chmod,lchown,rename,mkdir,rmdir,symlink,truncate,ftruncate,fchmod,fchown,chown
LIST_RULES: exit,always watch=/etc/auditd.conf (0x10) syscall=open,creat,link,unlink,chmod,lchown,rename,mkdir,rmdir,symlink,truncate,ftruncate,fchmod,fchown,chown
LIST_RULES: exit,always watch=/etc/audit.rules (0x10) syscall=open,creat,link,unlink,chmod,lchown,rename,mkdir,rmdir,symlink,truncate,ftruncate,fchmod,fchown,chown
LIST_RULES: exit,always watch=/usr/sbin/stunnel (0x11) syscall=open,creat,link,unlink,chmod,lchown,rename,mkdir,rmdir,symlink,truncate,ftruncate,fchmod,fchown,chown
LIST_RULES: exit,always watch=/var/spool/at (0xd) syscall=open,creat,link,unlink,chmod,lchown,rename,mkdir,rmdir,symlink,truncate,ftruncate,fchmod,fchown,chown

  • 1

Thanks for your lecture

Thank you very much.
I appreciate your lecture on RBAC.
I could't add staff_r user,although I've read
man semanage.
I've been edditing seusers file manually, every time
I needed.

I will try on my FC5 server (strict) tonight.

Shintaro Fujiwara (JP)

How to do this without semanage?

I'm not 100% sure how semanage 'works', but it doesn't work with refpolicy. I'd like to create a new user on the system that has her own role and file permissions (e.g. a role that dominates user_r, that can write files with its own context which no-one else has access to). Baby steps, though...I've created the new user (let's call it reid_u) and role (reid_r), and new types (reid_t, reid_home_t). I'd now like the regular linux user 'reid' to be able to login and give him the default context of reid_u:reid_r:reid_t.

It sounds like an easy job to use semenage, but what does this actually do to policy.conf? I've looked in /etc/selinux/refpolicy/users/local.users and /etc/selinux/refpolicy/config/local.users (looks like the latter is what's actually used by the Makefile, which is a bit confusing :)) and added lines authorizing my linux user reid for the reid_r role, but when I log in and choose a context reid_r:reid_t I'm told that this context is invalid...any idears? Yes, I have a line in my .te (which is getting compiled into policy.conf) saying 'role reid_r types reid_t'. Seems like 1) my linux user reid is maybe not getting assigned selinux user reid_u, or 2) reid_u is still not being allowed to assume the role reid_r. Wild guesses, I'm not sure where things are supposed to be defined though, if not local.users ...

Any advice is mucho appreciated.

Re: How to do this without semanage?

semanage didn't work for me even with targeted policy man, so don't feel bad. On a FC5 test install (default everything & up to date) my root user can't execute semanage. avc deny looks something like this:

avc: denied { use } for pid=2015 comm="semanage" name="tty1" dev=tmpfs ino=1020 scontext=root:system_r:semanage_t:s0-s0:c0-c.c255 tcontext=system_u:system_r:local_login_t:s0-s0:c0-c255 tclass=fd

id -Z while root shows:

ls -Z `which semanage` shows:

The target context containing local_login_t seems a bit strange to me ... your guess is as good (in this case probably better) than mine.

Re: How to do this without semanage?

Looks like the latest (as of my last post) update to selinux-policy-targeted (2.2.42) was my problem. Rolling back to the rpm shipped with FC5 (from the CDs) was a quick fix, and it even looks like a new targeted policy (2.2.43) is out and has a fix as well. That was pretty fast.


Re: How to do this without semanage?

Not so much a comment as an addendum. I was trying to figure out how to set up role dominance and it took me a while. Smalley's paper says the syntax is:

dominance { top_role next_role bottom_role }

It looks like the expected syntax for the compiler in FC5 is really:

dominance { role top_r {role next_r ... {role bottom_r } } ... }

There seem to be notes, at least in the refpolicy modules, that role dominance is broken. That doesn't appear to be the case (at least not that I can tell yet, still having problems setting up default context for new selinux users).

Would a HOWTO on creating a new linux user with his/her own selinux user map, unique role placed in the dominance heirarchy, unique default context that can do normal system operations (e.g. read/execute normally 'unconfined' programs keeping the user's default context, but allowing those programs to read and execute other normal system'y things), and unique file context and lack of type transition/allow rules to that filetype that prevents access from the normal system types be a useful tutorial for anyone else but me?

Re: How to do this without semanage?

Just back from Vacation.

Please ask these questions in the SELinux mailing list

You are much more likely to get the answers there. user management or roles does not come into play in targeted policy yet. It is much more useful in Strict and MLS policy. I have not played with role dominance, but others on that list have and would be more likely to be able to answer your questions.

soft for windows,games,software,news

Linux software,news mobile ,games


Hello Linux software,news driver ,games httpspdimon. Info Bye AM Anonymous said. . . Hi Linux software,news mobile ,games httpitaliagame.

Live life to the fullest

[b]Everyone wants to better themselves, whether its improving their
health or elevating their attractiveness to others. Most will
never make any real attempt at changing themselves for the
better.. and thats a very unfortunate fact!

Now you can be one of those that takes the small steps towards
increasing their vitality, energy and confidence.

Visit our new Health Products Supersite and chose one or more
products thats right for YOU. Because only you know what you want
to improve with yourself :)

Boost your strength, energy and vitality, and increase your
positive outlook 10-fold with one or more of our proven and
effective products.

Don't wait any longer to make your life better!

[url=]Click here to visit our New Supersite-Price discount specials now
in effect![/url] [/b]

Glucophage online, adderall


Marsians ready to atack! nobody help us


Helpful links - pharmacy


New explanation of the new pharmacy


New pharmacy and replicas watches


Again pharma links


Some links for you - test


Some links for you - testing


french swingers incest xxx free free movies films


Free xxx proposal movie.
Free xxx pussy movie.
Free xxx quicktime movie.
Free xxx quicktime movies.
Free xxx rated adult movie.
Free xxx rated movie.
Free xxx rated porn movie.
Free xxx rated sex movie.
Free xxx real player movie.
Free xxx sample porn movie.
Free xxx secretary movie.
Free xxx sex movie.
Free xxx sex movie clip.
Free xxx sex movie trailer.
Free xxx short movie.
Free xxx squirt movie.
Free xxx stocking movie.
Free xxx stripper movie.
Free xxx teacher movie.
Free xxx teen movie archive.
Free xxx teen movie clip.
Free xxx teen movie gallery.
Free xxx teen porn movie.
Free xxx tit fuck movie.
Free xxx tit movie.
Free xxx toons movie.
Free xxx vintage movie.
Free xxx voyeur movie.
Free xxx web movie.
Free xxx wife movie.
Free xxx-rated movie trailers.
Free young teen xxx movie.
Free young xxx movie.
Jerk off movie for free xxx.
Jesse jane xxx movie free clip.
Karas xxx movie free sample.
Lesbian free teen movie xxx.
Lesbian free xxx movie gallery.
Manga xxx free movie.
Movie adult xxx free online.
Movie free xxx private.
Movie xxx free free.
Muscle man xxx free sample movie.
Muscle men free xxx movies.
No credit card free xxx porn movies.
Older women free xxx movie.
Paris hilton xxx free movie.
Play xxx movie free.
Plumper xxx movies free.
Porn free xxx pic movie.
Porn hard core free xxx movie.
Porn xxx free movie and picture.
Porn xxx movie long free.
Search xxx porn movie free.
View free xxx movie.
Watch free xxx movies on internet tv.
Watch xxx movie free.
Web site of free xxx movie.
Xxx adult movie free sample.
Xxx adult movie pic free.
Xxx babe movie free.
Xxx big boob free movie.
Xxx couple movie free.
Xxx free bisexual movie.
Xxx free brutal movie.
Xxx free movie clips.
Xxx free pregnant movie.
Xxx hard core free movie.
Xxx hot sex free movie.
Xxx lesbian porn movie for free.
Xxx movie free latinas.
Xxx movie samples free.
Xxx movie thumbnail porn free.
Xxx on line free movie.
Xxx plumper free movie.
Xxx porn movie free xxx.
Xxx rated free movie download.
Xxx rated movie with free trailer.
Xxx sex adult free movie.
Xxx sex free cartoon movie.
Xxx sex free pic movie.
Xxx sex movie and video for free.
Xxx sex movie download free.
Xxx teen movie sex free.
Xxx toon movie free.

  • 1

Log in

No account? Create an account