This patch add seusers support to SELinux

This patch add seusers support to SELinux

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 332 bytes --]

The idea here is to break the seusers file up into lots of little 
seusers file that can be user specific, also adds the service field to 
be used by tools like pam_selinux to choose which is the correct context 
to log a user in as.

Patch was added to facilitate IPA handing out SELinux content for 
selection of roles at login.


[-- Attachment #2: libselinux_seusers.patch --]
[-- Type: text/plain, Size: 2444 bytes --]

--- nsalibselinux/include/selinux/selinux.h	2009-04-08 09:06:23.000000000 -0400
+++ libselinux-2.0.81/include/selinux/selinux.h	2009-05-18 14:04:07.000000000 -0400
@@ -544,6 +547,14 @@
    Caller must free the returned strings via free. */
 extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
 
+/* Get the SELinux username and level to use for a given Linux username and service. 
+   These values may then be passed into the get_ordered_context_list*
+   and get_default_context* functions to obtain a context for the user.
+   Returns 0 on success or -1 otherwise.
+   Caller must free the returned strings via free. */
+extern int getseuser(const char *username, const char *service, 
+		     char **r_seuser, char **r_level);
+
 /* Compare two file contexts, return 0 if equivalent. */
 int selinux_file_context_cmp(const security_context_t a,
 			     const security_context_t b);
--- nsalibselinux/src/seusers.c	2009-03-06 14:41:45.000000000 -0500
+++ libselinux-2.0.81/src/seusers.c	2009-05-18 14:04:07.000000000 -0400
@@ -243,3 +243,67 @@
 	*r_level = NULL;
 	return 0;
 }
+
+int getseuser(const char *username, const char *service, 
+	      char **r_seuser, char **r_level) {
+	int ret = -1;
+	int len = 0;
+	char *seuser = NULL;
+	char *level = NULL;
+	char *buffer = NULL;
+	size_t size = 0;
+	size_t lineno = 0;
+	char *rec = NULL;
+	char *path=NULL;
+	if (asprintf(&path,"%s/logins/%s", selinux_policy_root(), username) <  0)
+		goto err;
+	FILE *fp = fopen(path, "r");
+	free(path);
+	if (fp == NULL) goto err;
+	__fsetlocking(fp, FSETLOCKING_BYCALLER);
+	while (getline(&buffer, &size, fp) > 0) {
+		++lineno;
+
+		if (strncmp(buffer, "*:", 2) == 0) {
+			free(rec);
+			rec = strdup(buffer);
+			continue;
+		}
+		len = strlen(service);
+		if ((strncmp(buffer, service, len) == 0) &&
+		    (buffer[len] == ':')) {
+			free(rec);
+			rec = strdup(buffer);
+			break;
+		}
+	}
+
+	if (! rec)  goto err;
+	seuser = strchr(rec, ':');
+	if (! seuser) goto err;
+
+	seuser++;
+	level = strchr(seuser, ':');
+	*level = 0;
+	level++;
+	*r_seuser = strdup(seuser);
+	if (! *r_seuser) goto err;
+
+	len = strlen(level);
+	if (len && level[len-1] == '\n')
+		level[len-1] = 0;
+
+	*r_level = strdup(level);
+	if (! *r_level) {
+		free(*r_seuser);
+		goto err;
+	}
+	ret = 0;
+
+	err:
+	free(buffer);
+	if (fp) fclose(fp);
+	free(rec);
+
+	return (ret ? getseuserbyname(username, r_seuser, r_level) : ret);
+}

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Daniel J Walsh wrote:
> The idea here is to break the seusers file up into lots of little
> seusers file that can be user specific, also adds the service field to
> be used by tools like pam_selinux to choose which is the correct context
> to log a user in as.
>
> Patch was added to facilitate IPA handing out SELinux content for
> selection of roles at login.
>

This patch does not affect the behavior of getseuserbyname(), how is this 
expected to work with existing applications?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> The idea here is to break the seusers file up into lots of little
>> seusers file that can be user specific, also adds the service field to
>> be used by tools like pam_selinux to choose which is the correct context
>> to log a user in as.
>>
>> Patch was added to facilitate IPA handing out SELinux content for
>> selection of roles at login.
>>
>
> This patch does not affect the behavior of getseuserbyname(), how is
> this expected to work with existing applications?
>

Also, what is the format of this file? What should service be to test this on F11?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 06/18/2009 09:48 AM, Joshua Brindle wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> The idea here is to break the seusers file up into lots of little
>>> seusers file that can be user specific, also adds the service field to
>>> be used by tools like pam_selinux to choose which is the correct context
>>> to log a user in as.
>>>
>>> Patch was added to facilitate IPA handing out SELinux content for
>>> selection of roles at login.
>>>
>>
>> This patch does not affect the behavior of getseuserbyname(), how is
>> this expected to work with existing applications?
>>
>
> Also, what is the format of this file? What should service be to test
> this on F11?
>
pam service, I believe.

/etc/pam.d/sshd  - sshd
/etc/pam.d/login - login

> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 06/18/2009 09:48 AM, Joshua Brindle wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> The idea here is to break the seusers file up into lots of little
>>> seusers file that can be user specific, also adds the service field to
>>> be used by tools like pam_selinux to choose which is the correct context
>>> to log a user in as.
>>>
>>> Patch was added to facilitate IPA handing out SELinux content for
>>> selection of roles at login.
>>>
>>
>> This patch does not affect the behavior of getseuserbyname(), how is
>> this expected to work with existing applications?
>>
I think it only affects pam_selinux.
>
> Also, what is the format of this file? What should service be to test
> this on F11?
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Daniel J Walsh wrote:
> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>> Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> The idea here is to break the seusers file up into lots of little
>>>> seusers file that can be user specific, also adds the service field to
>>>> be used by tools like pam_selinux to choose which is the correct
>>>> context
>>>> to log a user in as.
>>>>
>>>> Patch was added to facilitate IPA handing out SELinux content for
>>>> selection of roles at login.
>>>>
>>>
>>> This patch does not affect the behavior of getseuserbyname(), how is
>>> this expected to work with existing applications?
>>>
> I think it only affects pam_selinux.

The function name is very confusing if its only used for pam_selinux, I'd like 
it renamed but seeing that pam_selinux is already deployed with it I suppose 
that isn't an option.

Signed-off-by: Joshua Brindle <method@manicmethod.com>

>>
>> Also, what is the format of this file? What should service be to test
>> this on F11?
>>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 06/18/2009 04:14 PM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>> Joshua Brindle wrote:
>>>> Daniel J Walsh wrote:
>>>>> The idea here is to break the seusers file up into lots of little
>>>>> seusers file that can be user specific, also adds the service field to
>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>> context
>>>>> to log a user in as.
>>>>>
>>>>> Patch was added to facilitate IPA handing out SELinux content for
>>>>> selection of roles at login.
>>>>>
>>>>
>>>> This patch does not affect the behavior of getseuserbyname(), how is
>>>> this expected to work with existing applications?
>>>>
>> I think it only affects pam_selinux.
>
> The function name is very confusing if its only used for pam_selinux,
> I'd like it renamed but seeing that pam_selinux is already deployed with
> it I suppose that isn't an option.
>
> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>
>>>
>>> Also, what is the format of this file? What should service be to test
>>> this on F11?
>>>
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
It is not only for pam_selinux, but that is currently the only user.

Really all this function does is add a second variable when selecting a 
users default context. service is just a string that the caller can 
specify.  It just allows you to change the default context you would get 
on entry to the system.  So I guess you could get use similar calls to 
get different context depending on whether or not you are on the 
console.  Imagine a dbus service which would run with one context if you 
we logged onto the console versus a different context if you were logged 
in via ssh.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Daniel J Walsh wrote:
> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>> Joshua Brindle wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> The idea here is to break the seusers file up into lots of little
>>>>>> seusers file that can be user specific, also adds the service
>>>>>> field to
>>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>>> context
>>>>>> to log a user in as.
>>>>>>
>>>>>> Patch was added to facilitate IPA handing out SELinux content for
>>>>>> selection of roles at login.
>>>>>>
>>>>>
>>>>> This patch does not affect the behavior of getseuserbyname(), how is
>>>>> this expected to work with existing applications?
>>>>>
>>> I think it only affects pam_selinux.
>>
>> The function name is very confusing if its only used for pam_selinux,
>> I'd like it renamed but seeing that pam_selinux is already deployed with
>> it I suppose that isn't an option.
>>
>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>
>>>>
>>>> Also, what is the format of this file? What should service be to test
>>>> this on F11?
>>>>
> It is not only for pam_selinux, but that is currently the only user.
>
> Really all this function does is add a second variable when selecting a
> users default context. service is just a string that the caller can
> specify. It just allows you to change the default context you would get
> on entry to the system. So I guess you could get use similar calls to
> get different context depending on whether or not you are on the
> console. Imagine a dbus service which would run with one context if you
> we logged onto the console versus a different context if you were logged
> in via ssh.
>

On looking at this further, I don't like the format of the file either, why did 
you choose to make it use colons and not tolerate spaces? First when I tried 
root: staff_u: s0 it logged me in as system_u and then when I tried 
root:staff_u:s0 I got logged in correctly. This is a little fragile to expect 
editing by users and getting unexpectedly logged in as system_u.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 06/19/2009 11:08 AM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>> Joshua Brindle wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> The idea here is to break the seusers file up into lots of little
>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>> field to
>>>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>>>> context
>>>>>>> to log a user in as.
>>>>>>>
>>>>>>> Patch was added to facilitate IPA handing out SELinux content for
>>>>>>> selection of roles at login.
>>>>>>>
>>>>>>
>>>>>> This patch does not affect the behavior of getseuserbyname(), how is
>>>>>> this expected to work with existing applications?
>>>>>>
>>>> I think it only affects pam_selinux.
>>>
>>> The function name is very confusing if its only used for pam_selinux,
>>> I'd like it renamed but seeing that pam_selinux is already deployed with
>>> it I suppose that isn't an option.
>>>
>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>
>>>>>
>>>>> Also, what is the format of this file? What should service be to test
>>>>> this on F11?
>>>>>
>> It is not only for pam_selinux, but that is currently the only user.
>>
>> Really all this function does is add a second variable when selecting a
>> users default context. service is just a string that the caller can
>> specify. It just allows you to change the default context you would get
>> on entry to the system. So I guess you could get use similar calls to
>> get different context depending on whether or not you are on the
>> console. Imagine a dbus service which would run with one context if you
>> we logged onto the console versus a different context if you were logged
>> in via ssh.
>>
>
> On looking at this further, I don't like the format of the file either,
> why did you choose to make it use colons and not tolerate spaces? First
> when I tried root: staff_u: s0 it logged me in as system_u and then when
> I tried root:staff_u:s0 I got logged in correctly. This is a little
> fragile to expect editing by users and getting unexpectedly logged in as
> system_u.
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
The : separated list matches seusers and /etc/passwd so I think it makes 
sense.  THe file should require all three fields, that is a bug.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Daniel J Walsh wrote:
> On 06/19/2009 11:08 AM, Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>>> Joshua Brindle wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> The idea here is to break the seusers file up into lots of little
>>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>>> field to
>>>>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>>>>> context
>>>>>>>> to log a user in as.
>>>>>>>>
>>>>>>>> Patch was added to facilitate IPA handing out SELinux content for
>>>>>>>> selection of roles at login.
>>>>>>>>
>>>>>>>
>>>>>>> This patch does not affect the behavior of getseuserbyname(), how is
>>>>>>> this expected to work with existing applications?
>>>>>>>
>>>>> I think it only affects pam_selinux.
>>>>
>>>> The function name is very confusing if its only used for pam_selinux,
>>>> I'd like it renamed but seeing that pam_selinux is already deployed
>>>> with
>>>> it I suppose that isn't an option.
>>>>
>>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>>
>>>>>>
>>>>>> Also, what is the format of this file? What should service be to test
>>>>>> this on F11?
>>>>>>
>>> It is not only for pam_selinux, but that is currently the only user.
>>>
>>> Really all this function does is add a second variable when selecting a
>>> users default context. service is just a string that the caller can
>>> specify. It just allows you to change the default context you would get
>>> on entry to the system. So I guess you could get use similar calls to
>>> get different context depending on whether or not you are on the
>>> console. Imagine a dbus service which would run with one context if you
>>> we logged onto the console versus a different context if you were logged
>>> in via ssh.
>>>
>>
>> On looking at this further, I don't like the format of the file either,
>> why did you choose to make it use colons and not tolerate spaces? First
>> when I tried root: staff_u: s0 it logged me in as system_u and then when
>> I tried root:staff_u:s0 I got logged in correctly. This is a little
>> fragile to expect editing by users and getting unexpectedly logged in as
>> system_u.
>>
>> --
> The : separated list matches seusers and /etc/passwd so I think it makes
> sense. THe file should require all three fields, that is a bug.
>

Ok, This is also yet-another-way to map users in SELinux, and its different from 
everything else. We use contexts to map other services to users ala 
contexts/default_contexts and contexts/users/*. Why should this be any 
different? If there are multiple sshd's running, eg., on a high nic and low nic 
then they'd need to map contexts via context rather than "service" name.

I still haven't figured out what this is solving.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 06/19/2009 02:13 PM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> On 06/19/2009 11:08 AM, Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>>>> Joshua Brindle wrote:
>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>> The idea here is to break the seusers file up into lots of little
>>>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>>>> field to
>>>>>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>>>>>> context
>>>>>>>>> to log a user in as.
>>>>>>>>>
>>>>>>>>> Patch was added to facilitate IPA handing out SELinux content for
>>>>>>>>> selection of roles at login.
>>>>>>>>>
>>>>>>>>
>>>>>>>> This patch does not affect the behavior of getseuserbyname(),
>>>>>>>> how is
>>>>>>>> this expected to work with existing applications?
>>>>>>>>
>>>>>> I think it only affects pam_selinux.
>>>>>
>>>>> The function name is very confusing if its only used for pam_selinux,
>>>>> I'd like it renamed but seeing that pam_selinux is already deployed
>>>>> with
>>>>> it I suppose that isn't an option.
>>>>>
>>>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>>>
>>>>>>>
>>>>>>> Also, what is the format of this file? What should service be to
>>>>>>> test
>>>>>>> this on F11?
>>>>>>>
>>>> It is not only for pam_selinux, but that is currently the only user.
>>>>
>>>> Really all this function does is add a second variable when selecting a
>>>> users default context. service is just a string that the caller can
>>>> specify. It just allows you to change the default context you would get
>>>> on entry to the system. So I guess you could get use similar calls to
>>>> get different context depending on whether or not you are on the
>>>> console. Imagine a dbus service which would run with one context if you
>>>> we logged onto the console versus a different context if you were
>>>> logged
>>>> in via ssh.
>>>>
>>>
>>> On looking at this further, I don't like the format of the file either,
>>> why did you choose to make it use colons and not tolerate spaces? First
>>> when I tried root: staff_u: s0 it logged me in as system_u and then when
>>> I tried root:staff_u:s0 I got logged in correctly. This is a little
>>> fragile to expect editing by users and getting unexpectedly logged in as
>>> system_u.
>>>
>>> --
>> The : separated list matches seusers and /etc/passwd so I think it makes
>> sense. THe file should require all three fields, that is a bug.
>>
>
> Ok, This is also yet-another-way to map users in SELinux, and its
> different from everything else. We use contexts to map other services to
> users ala contexts/default_contexts and contexts/users/*. Why should
> this be any different? If there are multiple sshd's running, eg., on a
> high nic and low nic then they'd need to map contexts via context rather
> than "service" name.
>
> I still haven't figured out what this is solving.
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.


I want to say that on these 50 machines dwalsh logs in via ssh as 
guest_t:SystemLow

If he logs in via the console he logs in as staff_t:SystemLow-SystemHigh

Now distribute this out to hundreds of thousands of machines.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Daniel J Walsh wrote:
> On 06/19/2009 02:13 PM, Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> On 06/19/2009 11:08 AM, Joshua Brindle wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>>>>> Joshua Brindle wrote:
>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>> The idea here is to break the seusers file up into lots of little
>>>>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>>>>> field to
>>>>>>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>>>>>>> context
>>>>>>>>>> to log a user in as.
>>>>>>>>>>
>>>>>>>>>> Patch was added to facilitate IPA handing out SELinux content for
>>>>>>>>>> selection of roles at login.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This patch does not affect the behavior of getseuserbyname(),
>>>>>>>>> how is
>>>>>>>>> this expected to work with existing applications?
>>>>>>>>>
>>>>>>> I think it only affects pam_selinux.
>>>>>>
>>>>>> The function name is very confusing if its only used for pam_selinux,
>>>>>> I'd like it renamed but seeing that pam_selinux is already deployed
>>>>>> with
>>>>>> it I suppose that isn't an option.
>>>>>>
>>>>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>>>>
>>>>>>>>
>>>>>>>> Also, what is the format of this file? What should service be to
>>>>>>>> test
>>>>>>>> this on F11?
>>>>>>>>
>>>>> It is not only for pam_selinux, but that is currently the only user.
>>>>>
>>>>> Really all this function does is add a second variable when
>>>>> selecting a
>>>>> users default context. service is just a string that the caller can
>>>>> specify. It just allows you to change the default context you would
>>>>> get
>>>>> on entry to the system. So I guess you could get use similar calls to
>>>>> get different context depending on whether or not you are on the
>>>>> console. Imagine a dbus service which would run with one context if
>>>>> you
>>>>> we logged onto the console versus a different context if you were
>>>>> logged
>>>>> in via ssh.
>>>>>
>>>>
>>>> On looking at this further, I don't like the format of the file either,
>>>> why did you choose to make it use colons and not tolerate spaces? First
>>>> when I tried root: staff_u: s0 it logged me in as system_u and then
>>>> when
>>>> I tried root:staff_u:s0 I got logged in correctly. This is a little
>>>> fragile to expect editing by users and getting unexpectedly logged
>>>> in as
>>>> system_u.
>>>>
>>>> --
>>> The : separated list matches seusers and /etc/passwd so I think it makes
>>> sense. THe file should require all three fields, that is a bug.
>>>
>>
>> Ok, This is also yet-another-way to map users in SELinux, and its
>> different from everything else. We use contexts to map other services to
>> users ala contexts/default_contexts and contexts/users/*. Why should
>> this be any different? If there are multiple sshd's running, eg., on a
>> high nic and low nic then they'd need to map contexts via context rather
>> than "service" name.
>>
>> I still haven't figured out what this is solving.
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>
>
> I want to say that on these 50 machines dwalsh logs in via ssh as
> guest_t:SystemLow
>
> If he logs in via the console he logs in as staff_t:SystemLow-SystemHigh
>
> Now distribute this out to hundreds of thousands of machines.
>

How is this different from distributing the contexts/users/dwalsh file?

[root@localhost contexts]# cat users/dwalsh
system_r:local_login_t:s0	staff_r:staff_t:s0
system_r:sshd_t:s0		guest_r:guest_t:s0



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 06/19/2009 02:13 PM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> On 06/19/2009 11:08 AM, Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>>>> Joshua Brindle wrote:
>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>> The idea here is to break the seusers file up into lots of little
>>>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>>>> field to
>>>>>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>>>>>> context
>>>>>>>>> to log a user in as.
>>>>>>>>>
>>>>>>>>> Patch was added to facilitate IPA handing out SELinux content for
>>>>>>>>> selection of roles at login.
>>>>>>>>>
>>>>>>>>
>>>>>>>> This patch does not affect the behavior of getseuserbyname(),
>>>>>>>> how is
>>>>>>>> this expected to work with existing applications?
>>>>>>>>
>>>>>> I think it only affects pam_selinux.
>>>>>
>>>>> The function name is very confusing if its only used for pam_selinux,
>>>>> I'd like it renamed but seeing that pam_selinux is already deployed
>>>>> with
>>>>> it I suppose that isn't an option.
>>>>>
>>>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>>>
>>>>>>>
>>>>>>> Also, what is the format of this file? What should service be to
>>>>>>> test
>>>>>>> this on F11?
>>>>>>>
>>>> It is not only for pam_selinux, but that is currently the only user.
>>>>
>>>> Really all this function does is add a second variable when selecting a
>>>> users default context. service is just a string that the caller can
>>>> specify. It just allows you to change the default context you would get
>>>> on entry to the system. So I guess you could get use similar calls to
>>>> get different context depending on whether or not you are on the
>>>> console. Imagine a dbus service which would run with one context if you
>>>> we logged onto the console versus a different context if you were
>>>> logged
>>>> in via ssh.
>>>>
>>>
>>> On looking at this further, I don't like the format of the file either,
>>> why did you choose to make it use colons and not tolerate spaces? First
>>> when I tried root: staff_u: s0 it logged me in as system_u and then when
>>> I tried root:staff_u:s0 I got logged in correctly. This is a little
>>> fragile to expect editing by users and getting unexpectedly logged in as
>>> system_u.
>>>
>>> --
>> The : separated list matches seusers and /etc/passwd so I think it makes
>> sense. THe file should require all three fields, that is a bug.
>>
>
> Ok, This is also yet-another-way to map users in SELinux, and its
> different from everything else. We use contexts to map other services to
> users ala contexts/default_contexts and contexts/users/*. Why should
> this be any different? If there are multiple sshd's running, eg., on a
> high nic and low nic then they'd need to map contexts via context rather
> than "service" name.
>
> I still haven't figured out what this is solving.
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.


Basically this is the exact same file as the seusers file except it one 
per Linux User where is the seusers file is one record per Linux User.

If I have a distributed environment, I need to say stuff like

engineers logging into people.redhat.com get guest_t:s0
Admins logging in get unconfined_t:SystemLow-SystemHigh

In addition on some machines dwalsh is an admin and on others he is a 
peon.  So using IPA we generate a mapping from MACHINE to User

dwalsh on dwalsh_laptop gets unconfined_t
dwalsh on desktop gets user_t
dwalsh on people gets guest_t

There is a potential use for service but it will probably default to * 
for now.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 06/19/2009 02:27 PM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> On 06/19/2009 02:13 PM, Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> On 06/19/2009 11:08 AM, Joshua Brindle wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>>>>>> Joshua Brindle wrote:
>>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>>> The idea here is to break the seusers file up into lots of
>>>>>>>>>>> little
>>>>>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>>>>>> field to
>>>>>>>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>>>>>>>> context
>>>>>>>>>>> to log a user in as.
>>>>>>>>>>>
>>>>>>>>>>> Patch was added to facilitate IPA handing out SELinux content
>>>>>>>>>>> for
>>>>>>>>>>> selection of roles at login.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This patch does not affect the behavior of getseuserbyname(),
>>>>>>>>>> how is
>>>>>>>>>> this expected to work with existing applications?
>>>>>>>>>>
>>>>>>>> I think it only affects pam_selinux.
>>>>>>>
>>>>>>> The function name is very confusing if its only used for
>>>>>>> pam_selinux,
>>>>>>> I'd like it renamed but seeing that pam_selinux is already deployed
>>>>>>> with
>>>>>>> it I suppose that isn't an option.
>>>>>>>
>>>>>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>>>>>
>>>>>>>>>
>>>>>>>>> Also, what is the format of this file? What should service be to
>>>>>>>>> test
>>>>>>>>> this on F11?
>>>>>>>>>
>>>>>> It is not only for pam_selinux, but that is currently the only user.
>>>>>>
>>>>>> Really all this function does is add a second variable when
>>>>>> selecting a
>>>>>> users default context. service is just a string that the caller can
>>>>>> specify. It just allows you to change the default context you would
>>>>>> get
>>>>>> on entry to the system. So I guess you could get use similar calls to
>>>>>> get different context depending on whether or not you are on the
>>>>>> console. Imagine a dbus service which would run with one context if
>>>>>> you
>>>>>> we logged onto the console versus a different context if you were
>>>>>> logged
>>>>>> in via ssh.
>>>>>>
>>>>>
>>>>> On looking at this further, I don't like the format of the file
>>>>> either,
>>>>> why did you choose to make it use colons and not tolerate spaces?
>>>>> First
>>>>> when I tried root: staff_u: s0 it logged me in as system_u and then
>>>>> when
>>>>> I tried root:staff_u:s0 I got logged in correctly. This is a little
>>>>> fragile to expect editing by users and getting unexpectedly logged
>>>>> in as
>>>>> system_u.
>>>>>
>>>>> --
>>>> The : separated list matches seusers and /etc/passwd so I think it
>>>> makes
>>>> sense. THe file should require all three fields, that is a bug.
>>>>
>>>
>>> Ok, This is also yet-another-way to map users in SELinux, and its
>>> different from everything else. We use contexts to map other services to
>>> users ala contexts/default_contexts and contexts/users/*. Why should
>>> this be any different? If there are multiple sshd's running, eg., on a
>>> high nic and low nic then they'd need to map contexts via context rather
>>> than "service" name.
>>>
>>> I still haven't figured out what this is solving.
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>> I want to say that on these 50 machines dwalsh logs in via ssh as
>> guest_t:SystemLow
>>
>> If he logs in via the console he logs in as staff_t:SystemLow-SystemHigh
>>
>> Now distribute this out to hundreds of thousands of machines.
>>
>
> How is this different from distributing the contexts/users/dwalsh file?
>
> [root@localhost contexts]# cat users/dwalsh
> system_r:local_login_t:s0 staff_r:staff_t:s0
> system_r:sshd_t:s0 guest_r:guest_t:s0
>
>
That is an SELinux users file not a UID users file

The dwalsh user does not exist.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Daniel J Walsh wrote:
> On 06/19/2009 02:27 PM, Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> On 06/19/2009 02:13 PM, Joshua Brindle wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 06/19/2009 11:08 AM, Joshua Brindle wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>>>>>>> Joshua Brindle wrote:
>>>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>>>> The idea here is to break the seusers file up into lots of
>>>>>>>>>>>> little
>>>>>>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>>>>>>> field to
>>>>>>>>>>>> be used by tools like pam_selinux to choose which is the
>>>>>>>>>>>> correct
>>>>>>>>>>>> context
>>>>>>>>>>>> to log a user in as.
>>>>>>>>>>>>
>>>>>>>>>>>> Patch was added to facilitate IPA handing out SELinux content
>>>>>>>>>>>> for
>>>>>>>>>>>> selection of roles at login.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> This patch does not affect the behavior of getseuserbyname(),
>>>>>>>>>>> how is
>>>>>>>>>>> this expected to work with existing applications?
>>>>>>>>>>>
>>>>>>>>> I think it only affects pam_selinux.
>>>>>>>>
>>>>>>>> The function name is very confusing if its only used for
>>>>>>>> pam_selinux,
>>>>>>>> I'd like it renamed but seeing that pam_selinux is already deployed
>>>>>>>> with
>>>>>>>> it I suppose that isn't an option.
>>>>>>>>
>>>>>>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Also, what is the format of this file? What should service be to
>>>>>>>>>> test
>>>>>>>>>> this on F11?
>>>>>>>>>>
>>>>>>> It is not only for pam_selinux, but that is currently the only user.
>>>>>>>
>>>>>>> Really all this function does is add a second variable when
>>>>>>> selecting a
>>>>>>> users default context. service is just a string that the caller can
>>>>>>> specify. It just allows you to change the default context you would
>>>>>>> get
>>>>>>> on entry to the system. So I guess you could get use similar
>>>>>>> calls to
>>>>>>> get different context depending on whether or not you are on the
>>>>>>> console. Imagine a dbus service which would run with one context if
>>>>>>> you
>>>>>>> we logged onto the console versus a different context if you were
>>>>>>> logged
>>>>>>> in via ssh.
>>>>>>>
>>>>>>
>>>>>> On looking at this further, I don't like the format of the file
>>>>>> either,
>>>>>> why did you choose to make it use colons and not tolerate spaces?
>>>>>> First
>>>>>> when I tried root: staff_u: s0 it logged me in as system_u and then
>>>>>> when
>>>>>> I tried root:staff_u:s0 I got logged in correctly. This is a little
>>>>>> fragile to expect editing by users and getting unexpectedly logged
>>>>>> in as
>>>>>> system_u.
>>>>>>
>>>>>> --
>>>>> The : separated list matches seusers and /etc/passwd so I think it
>>>>> makes
>>>>> sense. THe file should require all three fields, that is a bug.
>>>>>
>>>>
>>>> Ok, This is also yet-another-way to map users in SELinux, and its
>>>> different from everything else. We use contexts to map other
>>>> services to
>>>> users ala contexts/default_contexts and contexts/users/*. Why should
>>>> this be any different? If there are multiple sshd's running, eg., on a
>>>> high nic and low nic then they'd need to map contexts via context
>>>> rather
>>>> than "service" name.
>>>>
>>>> I still haven't figured out what this is solving.
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing
>>>> list.
>>>> If you no longer wish to subscribe, send mail to
>>>> majordomo@tycho.nsa.gov
>>>> with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>>
>>> I want to say that on these 50 machines dwalsh logs in via ssh as
>>> guest_t:SystemLow
>>>
>>> If he logs in via the console he logs in as staff_t:SystemLow-SystemHigh
>>>
>>> Now distribute this out to hundreds of thousands of machines.
>>>
>>
>> How is this different from distributing the contexts/users/dwalsh file?
>>
>> [root@localhost contexts]# cat users/dwalsh
>> system_r:local_login_t:s0 staff_r:staff_t:s0
>> system_r:sshd_t:s0 guest_r:guest_t:s0
>>
>>
> That is an SELinux users file not a UID users file
>
> The dwalsh user does not exist.
>

Oops, you are right.

Will this cause confusion if semanage login -l doesn't read this file and report 
its contents as well?

Are you sure we should be using the service name and not the context of the 
service, for the reason I pointed out above?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 06/19/2009 02:31 PM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> On 06/19/2009 02:27 PM, Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> On 06/19/2009 02:13 PM, Joshua Brindle wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> On 06/19/2009 11:08 AM, Joshua Brindle wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>>>>>>>> Joshua Brindle wrote:
>>>>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>>>>> The idea here is to break the seusers file up into lots of
>>>>>>>>>>>>> little
>>>>>>>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>>>>>>>> field to
>>>>>>>>>>>>> be used by tools like pam_selinux to choose which is the
>>>>>>>>>>>>> correct
>>>>>>>>>>>>> context
>>>>>>>>>>>>> to log a user in as.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Patch was added to facilitate IPA handing out SELinux content
>>>>>>>>>>>>> for
>>>>>>>>>>>>> selection of roles at login.
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> This patch does not affect the behavior of getseuserbyname(),
>>>>>>>>>>>> how is
>>>>>>>>>>>> this expected to work with existing applications?
>>>>>>>>>>>>
>>>>>>>>>> I think it only affects pam_selinux.
>>>>>>>>>
>>>>>>>>> The function name is very confusing if its only used for
>>>>>>>>> pam_selinux,
>>>>>>>>> I'd like it renamed but seeing that pam_selinux is already
>>>>>>>>> deployed
>>>>>>>>> with
>>>>>>>>> it I suppose that isn't an option.
>>>>>>>>>
>>>>>>>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Also, what is the format of this file? What should service be to
>>>>>>>>>>> test
>>>>>>>>>>> this on F11?
>>>>>>>>>>>
>>>>>>>> It is not only for pam_selinux, but that is currently the only
>>>>>>>> user.
>>>>>>>>
>>>>>>>> Really all this function does is add a second variable when
>>>>>>>> selecting a
>>>>>>>> users default context. service is just a string that the caller can
>>>>>>>> specify. It just allows you to change the default context you would
>>>>>>>> get
>>>>>>>> on entry to the system. So I guess you could get use similar
>>>>>>>> calls to
>>>>>>>> get different context depending on whether or not you are on the
>>>>>>>> console. Imagine a dbus service which would run with one context if
>>>>>>>> you
>>>>>>>> we logged onto the console versus a different context if you were
>>>>>>>> logged
>>>>>>>> in via ssh.
>>>>>>>>
>>>>>>>
>>>>>>> On looking at this further, I don't like the format of the file
>>>>>>> either,
>>>>>>> why did you choose to make it use colons and not tolerate spaces?
>>>>>>> First
>>>>>>> when I tried root: staff_u: s0 it logged me in as system_u and then
>>>>>>> when
>>>>>>> I tried root:staff_u:s0 I got logged in correctly. This is a little
>>>>>>> fragile to expect editing by users and getting unexpectedly logged
>>>>>>> in as
>>>>>>> system_u.
>>>>>>>
>>>>>>> --
>>>>>> The : separated list matches seusers and /etc/passwd so I think it
>>>>>> makes
>>>>>> sense. THe file should require all three fields, that is a bug.
>>>>>>
>>>>>
>>>>> Ok, This is also yet-another-way to map users in SELinux, and its
>>>>> different from everything else. We use contexts to map other
>>>>> services to
>>>>> users ala contexts/default_contexts and contexts/users/*. Why should
>>>>> this be any different? If there are multiple sshd's running, eg., on a
>>>>> high nic and low nic then they'd need to map contexts via context
>>>>> rather
>>>>> than "service" name.
>>>>>
>>>>> I still haven't figured out what this is solving.
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing
>>>>> list.
>>>>> If you no longer wish to subscribe, send mail to
>>>>> majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>>
>>>> I want to say that on these 50 machines dwalsh logs in via ssh as
>>>> guest_t:SystemLow
>>>>
>>>> If he logs in via the console he logs in as
>>>> staff_t:SystemLow-SystemHigh
>>>>
>>>> Now distribute this out to hundreds of thousands of machines.
>>>>
>>>
>>> How is this different from distributing the contexts/users/dwalsh file?
>>>
>>> [root@localhost contexts]# cat users/dwalsh
>>> system_r:local_login_t:s0 staff_r:staff_t:s0
>>> system_r:sshd_t:s0 guest_r:guest_t:s0
>>>
>>>
>> That is an SELinux users file not a UID users file
>>
>> The dwalsh user does not exist.
>>
>
> Oops, you are right.
>
> Will this cause confusion if semanage login -l doesn't read this file
> and report its contents as well?
>
> Are you sure we should be using the service name and not the context of
> the service, for the reason I pointed out above?
We user the SELINUXUser from the seusers file now and the level.

This is the same thing, except instead of creating a massive seusers 
file when the user loggs in, they are copying down a small file 
indicating what the user should do

pam_ipa sucks down the new dwalsh_seuser file
pam_selinux read dwalsh_seuser file and attempts to set the SELinux User 
and level

I login in.

>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Chris PeBenito]

On Fri, 2009-06-19 at 14:29 -0400, Daniel J Walsh wrote:
> Basically this is the exact same file as the seusers file except it one 
> per Linux User where is the seusers file is one record per Linux User.
> 
> If I have a distributed environment, I need to say stuff like
> 
> engineers logging into people.redhat.com get guest_t:s0
> Admins logging in get unconfined_t:SystemLow-SystemHigh
> 
> In addition on some machines dwalsh is an admin and on others he is a 
> peon.  So using IPA we generate a mapping from MACHINE to User
> 
> dwalsh on dwalsh_laptop gets unconfined_t
> dwalsh on desktop gets user_t
> dwalsh on people gets guest_t
> 
> There is a potential use for service but it will probably default to * 
> for now.

I don't have a problem with this idea, but I do have a problem with this
not replacing the current seuser behavior.  Having two ways to map linux
users to selinux users is an administration nightmare.  People will be
confused about which one to use and you'll need to know precedence.
What you describe above with the contents of each file just having a *
service would be the same as the current seuser behavior.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 06/19/2009 03:30 PM, Chris PeBenito wrote:
> On Fri, 2009-06-19 at 14:29 -0400, Daniel J Walsh wrote:
>> Basically this is the exact same file as the seusers file except it one
>> per Linux User where is the seusers file is one record per Linux User.
>>
>> If I have a distributed environment, I need to say stuff like
>>
>> engineers logging into people.redhat.com get guest_t:s0
>> Admins logging in get unconfined_t:SystemLow-SystemHigh
>>
>> In addition on some machines dwalsh is an admin and on others he is a
>> peon.  So using IPA we generate a mapping from MACHINE to User
>>
>> dwalsh on dwalsh_laptop gets unconfined_t
>> dwalsh on desktop gets user_t
>> dwalsh on people gets guest_t
>>
>> There is a potential use for service but it will probably default to *
>> for now.
>
> I don't have a problem with this idea, but I do have a problem with this
> not replacing the current seuser behavior.  Having two ways to map linux
> users to selinux users is an administration nightmare.  People will be
> confused about which one to use and you'll need to know precedence.
> What you describe above with the contents of each file just having a *
> service would be the same as the current seuser behavior.
>
Well I don't see administrators editing the new format, we have not even 
used it yet, since IPA has not shipped this functionality yet.

But there is precedence for this in the default_context versus the 
context/users files.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Chris PeBenito]

On Fri, 2009-06-19 at 15:51 -0400, Daniel J Walsh wrote:
> On 06/19/2009 03:30 PM, Chris PeBenito wrote:
> > On Fri, 2009-06-19 at 14:29 -0400, Daniel J Walsh wrote:
> >> Basically this is the exact same file as the seusers file except it one
> >> per Linux User where is the seusers file is one record per Linux User.
> >>
> >> If I have a distributed environment, I need to say stuff like
> >>
> >> engineers logging into people.redhat.com get guest_t:s0
> >> Admins logging in get unconfined_t:SystemLow-SystemHigh
> >>
> >> In addition on some machines dwalsh is an admin and on others he is a
> >> peon.  So using IPA we generate a mapping from MACHINE to User
> >>
> >> dwalsh on dwalsh_laptop gets unconfined_t
> >> dwalsh on desktop gets user_t
> >> dwalsh on people gets guest_t
> >>
> >> There is a potential use for service but it will probably default to *
> >> for now.
> >
> > I don't have a problem with this idea, but I do have a problem with this
> > not replacing the current seuser behavior.  Having two ways to map linux
> > users to selinux users is an administration nightmare.  People will be
> > confused about which one to use and you'll need to know precedence.
> > What you describe above with the contents of each file just having a *
> > service would be the same as the current seuser behavior.
> >
> Well I don't see administrators editing the new format, we have not even 
> used it yet, since IPA has not shipped this functionality yet.

I don't see how IPA's usage matters.  If we go this way, in the future
there will be two ways for the seusers mapping, which is confusing.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Chris PeBenito wrote:
> On Fri, 2009-06-19 at 15:51 -0400, Daniel J Walsh wrote:
>> On 06/19/2009 03:30 PM, Chris PeBenito wrote:
>>> On Fri, 2009-06-19 at 14:29 -0400, Daniel J Walsh wrote:
>>>> Basically this is the exact same file as the seusers file except it one
>>>> per Linux User where is the seusers file is one record per Linux User.
>>>>
>>>> If I have a distributed environment, I need to say stuff like
>>>>
>>>> engineers logging into people.redhat.com get guest_t:s0
>>>> Admins logging in get unconfined_t:SystemLow-SystemHigh
>>>>
>>>> In addition on some machines dwalsh is an admin and on others he is a
>>>> peon.  So using IPA we generate a mapping from MACHINE to User
>>>>
>>>> dwalsh on dwalsh_laptop gets unconfined_t
>>>> dwalsh on desktop gets user_t
>>>> dwalsh on people gets guest_t
>>>>
>>>> There is a potential use for service but it will probably default to *
>>>> for now.
>>> I don't have a problem with this idea, but I do have a problem with this
>>> not replacing the current seuser behavior.  Having two ways to map linux
>>> users to selinux users is an administration nightmare.  People will be
>>> confused about which one to use and you'll need to know precedence.
>>> What you describe above with the contents of each file just having a *
>>> service would be the same as the current seuser behavior.
>>>
>> Well I don't see administrators editing the new format, we have not even
>> used it yet, since IPA has not shipped this functionality yet.
>
> I don't see how IPA's usage matters.  If we go this way, in the future
> there will be two ways for the seusers mapping, which is confusing.
>

This is pretty accurate, chcat will all of a sudden stop working (not that I 
would mind if the user part of that tool died anyway), semanage will stop 
working and so on. There isn't even a mechanism to tell the user what is going 
on when something happens that they don't expect. This violates principle of 
least surprise.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Chris PeBenito wrote:
> On Fri, 2009-06-19 at 15:51 -0400, Daniel J Walsh wrote:
>> On 06/19/2009 03:30 PM, Chris PeBenito wrote:
>>> On Fri, 2009-06-19 at 14:29 -0400, Daniel J Walsh wrote:
>>>> Basically this is the exact same file as the seusers file except it one
>>>> per Linux User where is the seusers file is one record per Linux User.
>>>>
>>>> If I have a distributed environment, I need to say stuff like
>>>>
>>>> engineers logging into people.redhat.com get guest_t:s0
>>>> Admins logging in get unconfined_t:SystemLow-SystemHigh
>>>>
>>>> In addition on some machines dwalsh is an admin and on others he is a
>>>> peon.  So using IPA we generate a mapping from MACHINE to User
>>>>
>>>> dwalsh on dwalsh_laptop gets unconfined_t
>>>> dwalsh on desktop gets user_t
>>>> dwalsh on people gets guest_t
>>>>
>>>> There is a potential use for service but it will probably default to *
>>>> for now.
>>> I don't have a problem with this idea, but I do have a problem with this
>>> not replacing the current seuser behavior.  Having two ways to map linux
>>> users to selinux users is an administration nightmare.  People will be
>>> confused about which one to use and you'll need to know precedence.
>>> What you describe above with the contents of each file just having a *
>>> service would be the same as the current seuser behavior.
>>>
>> Well I don't see administrators editing the new format, we have not even
>> used it yet, since IPA has not shipped this functionality yet.
>
> I don't see how IPA's usage matters.  If we go this way, in the future
> there will be two ways for the seusers mapping, which is confusing.
>

Ping, does anyone else have an opinion on this using the context of the service 
rather than the pam name of the service? I still think the context is more 
appropriate.

Also, if we do this I think we should get rid of the old way of having seusers 
since it isn't clear where to do seuser updates anymore and it isn't even noted 
which of these take precedence.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Stephen Smalley]

On Wed, 2009-06-24 at 17:10 -0400, Joshua Brindle wrote:
> Chris PeBenito wrote:
> > On Fri, 2009-06-19 at 15:51 -0400, Daniel J Walsh wrote:
> >> On 06/19/2009 03:30 PM, Chris PeBenito wrote:
> >>> On Fri, 2009-06-19 at 14:29 -0400, Daniel J Walsh wrote:
> >>>> Basically this is the exact same file as the seusers file except it one
> >>>> per Linux User where is the seusers file is one record per Linux User.
> >>>>
> >>>> If I have a distributed environment, I need to say stuff like
> >>>>
> >>>> engineers logging into people.redhat.com get guest_t:s0
> >>>> Admins logging in get unconfined_t:SystemLow-SystemHigh
> >>>>
> >>>> In addition on some machines dwalsh is an admin and on others he is a
> >>>> peon.  So using IPA we generate a mapping from MACHINE to User
> >>>>
> >>>> dwalsh on dwalsh_laptop gets unconfined_t
> >>>> dwalsh on desktop gets user_t
> >>>> dwalsh on people gets guest_t
> >>>>
> >>>> There is a potential use for service but it will probably default to *
> >>>> for now.
> >>> I don't have a problem with this idea, but I do have a problem with this
> >>> not replacing the current seuser behavior.  Having two ways to map linux
> >>> users to selinux users is an administration nightmare.  People will be
> >>> confused about which one to use and you'll need to know precedence.
> >>> What you describe above with the contents of each file just having a *
> >>> service would be the same as the current seuser behavior.
> >>>
> >> Well I don't see administrators editing the new format, we have not even
> >> used it yet, since IPA has not shipped this functionality yet.
> >
> > I don't see how IPA's usage matters.  If we go this way, in the future
> > there will be two ways for the seusers mapping, which is confusing.
> >
> 
> Ping, does anyone else have an opinion on this using the context of the service 
> rather than the pam name of the service? I still think the context is more 
> appropriate.

Pros of using pam service name:
- Familiar to regular Linux admins (which we expect to configure
seusers, not just policy admins, right?),
- Can distinguish cases where multiple services run in the same context,
even unconfined services.

Pros of using the server daemon context (ala default_contexts):
- Consistent with default_contexts,
- Can distinguish cases where the same service runs in multiple
contexts.

But default_contexts has been a source of significant confusion and
misconfiguration.

> Also, if we do this I think we should get rid of the old way of having seusers 
> since it isn't clear where to do seuser updates anymore and it isn't even noted 
> which of these take precedence.

Not sure what you mean by "get rid of".  You want getseuserbyname() to
also search the new files and use them if present, using "*" as the
service name?  IOW, directly pull the getseuserbyname() logic into
getseuser() and turn getseuserbyname() into a simple wrapper for
getseuser()?  And then do something on the semanage side for these new
files?

Are we sure that this new functionality is ever actually going to get
used?  Is it really too late to just drop this interface and remove the
call from pam_selinux upstream (only gets built if it detects the
interface in the libselinux against which it is built already).

What we need to do is to overhaul the way the entire user context
computation happens, not just add new ways to further confuse matters.
The full generality of get_ordered_context_list is in retrospect
overkill and prone to misconfiguration.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Daniel J Walsh wrote:
> On 06/19/2009 11:08 AM, Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>>> Joshua Brindle wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> The idea here is to break the seusers file up into lots of little
>>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>>> field to
>>>>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>>>>> context
>>>>>>>> to log a user in as.
>>>>>>>>
>>>>>>>> Patch was added to facilitate IPA handing out SELinux content for
>>>>>>>> selection of roles at login.
>>>>>>>>
>>>>>>>
>>>>>>> This patch does not affect the behavior of getseuserbyname(), how is
>>>>>>> this expected to work with existing applications?
>>>>>>>
>>>>> I think it only affects pam_selinux.
>>>>
>>>> The function name is very confusing if its only used for pam_selinux,
>>>> I'd like it renamed but seeing that pam_selinux is already deployed
>>>> with
>>>> it I suppose that isn't an option.
>>>>
>>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>>
>>>>>>
>>>>>> Also, what is the format of this file? What should service be to test
>>>>>> this on F11?
>>>>>>
>>> It is not only for pam_selinux, but that is currently the only user.
>>>
>>> Really all this function does is add a second variable when selecting a
>>> users default context. service is just a string that the caller can
>>> specify. It just allows you to change the default context you would get
>>> on entry to the system. So I guess you could get use similar calls to
>>> get different context depending on whether or not you are on the
>>> console. Imagine a dbus service which would run with one context if you
>>> we logged onto the console versus a different context if you were logged
>>> in via ssh.
>>>
>>
>> On looking at this further, I don't like the format of the file either,
>> why did you choose to make it use colons and not tolerate spaces? First
>> when I tried root: staff_u: s0 it logged me in as system_u and then when
>> I tried root:staff_u:s0 I got logged in correctly. This is a little
>> fragile to expect editing by users and getting unexpectedly logged in as
>> system_u.
>>
> The : separated list matches seusers and /etc/passwd so I think it makes
> sense. THe file should require all three fields, that is a bug.
>

Are you going to resubmit this patch with the bug fixed?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 06/30/2009 11:18 AM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> On 06/19/2009 11:08 AM, Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>>>> Joshua Brindle wrote:
>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>> The idea here is to break the seusers file up into lots of little
>>>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>>>> field to
>>>>>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>>>>>> context
>>>>>>>>> to log a user in as.
>>>>>>>>>
>>>>>>>>> Patch was added to facilitate IPA handing out SELinux content for
>>>>>>>>> selection of roles at login.
>>>>>>>>>
>>>>>>>>
>>>>>>>> This patch does not affect the behavior of getseuserbyname(),
>>>>>>>> how is
>>>>>>>> this expected to work with existing applications?
>>>>>>>>
>>>>>> I think it only affects pam_selinux.
>>>>>
>>>>> The function name is very confusing if its only used for pam_selinux,
>>>>> I'd like it renamed but seeing that pam_selinux is already deployed
>>>>> with
>>>>> it I suppose that isn't an option.
>>>>>
>>>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>>>
>>>>>>>
>>>>>>> Also, what is the format of this file? What should service be to
>>>>>>> test
>>>>>>> this on F11?
>>>>>>>
>>>> It is not only for pam_selinux, but that is currently the only user.
>>>>
>>>> Really all this function does is add a second variable when selecting a
>>>> users default context. service is just a string that the caller can
>>>> specify. It just allows you to change the default context you would get
>>>> on entry to the system. So I guess you could get use similar calls to
>>>> get different context depending on whether or not you are on the
>>>> console. Imagine a dbus service which would run with one context if you
>>>> we logged onto the console versus a different context if you were
>>>> logged
>>>> in via ssh.
>>>>
>>>
>>> On looking at this further, I don't like the format of the file either,
>>> why did you choose to make it use colons and not tolerate spaces? First
>>> when I tried root: staff_u: s0 it logged me in as system_u and then when
>>> I tried root:staff_u:s0 I got logged in correctly. This is a little
>>> fragile to expect editing by users and getting unexpectedly logged in as
>>> system_u.
I am not sure what is going on here, since it should never match on root 
:  or root:

This should be falling through to the default user of the 
/etc/selinux/targeted/seusers file.  Since you did not specify a valid 
"service" name.

The interface is looking for something that looks like:

*:staff_u:s0
or
sshd:guest_u:s0
login:staff_u:so-s0:c0-c1023
xdm:user_u:so

I don not currently intend this to be edited by a human, the goal was to 
allow tools like IPA or other scripting tools to populate these files. 
The library should return the content as it does, but libselinux or 
pam_selinux should deny login if the machine is in enforcing mode.  The 
fact that it is giving you a bogus login is a bug in current SELinux.
>>>
>> The : separated list matches seusers and /etc/passwd so I think it makes
>> sense. THe file should require all three fields, that is a bug.
>>
>
> Are you going to resubmit this patch with the bug fixed?
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Daniel J Walsh wrote:
> On 06/30/2009 11:18 AM, Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> On 06/19/2009 11:08 AM, Joshua Brindle wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>>>>> Joshua Brindle wrote:
>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>> The idea here is to break the seusers file up into lots of little
>>>>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>>>>> field to
>>>>>>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>>>>>>> context
>>>>>>>>>> to log a user in as.
>>>>>>>>>>
>>>>>>>>>> Patch was added to facilitate IPA handing out SELinux content for
>>>>>>>>>> selection of roles at login.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This patch does not affect the behavior of getseuserbyname(),
>>>>>>>>> how is
>>>>>>>>> this expected to work with existing applications?
>>>>>>>>>
>>>>>>> I think it only affects pam_selinux.
>>>>>>
>>>>>> The function name is very confusing if its only used for pam_selinux,
>>>>>> I'd like it renamed but seeing that pam_selinux is already deployed
>>>>>> with
>>>>>> it I suppose that isn't an option.
>>>>>>
>>>>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>>>>
>>>>>>>>
>>>>>>>> Also, what is the format of this file? What should service be to
>>>>>>>> test
>>>>>>>> this on F11?
>>>>>>>>
>>>>> It is not only for pam_selinux, but that is currently the only user.
>>>>>
>>>>> Really all this function does is add a second variable when
>>>>> selecting a
>>>>> users default context. service is just a string that the caller can
>>>>> specify. It just allows you to change the default context you would
>>>>> get
>>>>> on entry to the system. So I guess you could get use similar calls to
>>>>> get different context depending on whether or not you are on the
>>>>> console. Imagine a dbus service which would run with one context if
>>>>> you
>>>>> we logged onto the console versus a different context if you were
>>>>> logged
>>>>> in via ssh.
>>>>>
>>>>
>>>> On looking at this further, I don't like the format of the file either,
>>>> why did you choose to make it use colons and not tolerate spaces? First
>>>> when I tried root: staff_u: s0 it logged me in as system_u and then
>>>> when
>>>> I tried root:staff_u:s0 I got logged in correctly. This is a little
>>>> fragile to expect editing by users and getting unexpectedly logged
>>>> in as
>>>> system_u.
> I am not sure what is going on here, since it should never match on root
> : or root:
>
> This should be falling through to the default user of the
> /etc/selinux/targeted/seusers file. Since you did not specify a valid
> "service" name.
>
> The interface is looking for something that looks like:
>
> *:staff_u:s0
> or
> sshd:guest_u:s0
> login:staff_u:so-s0:c0-c1023
> xdm:user_u:so
>
> I don not currently intend this to be edited by a human, the goal was to
> allow tools like IPA or other scripting tools to populate these files.
> The library should return the content as it does, but libselinux or
> pam_selinux should deny login if the machine is in enforcing mode. The
> fact that it is giving you a bogus login is a bug in current SELinux.
>>>>
>>> The : separated list matches seusers and /etc/passwd so I think it makes
>>> sense. THe file should require all three fields, that is a bug.
>>>
>>

Patch merged in libselinux 2.0.84.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> The interface is looking for something that looks like:
>>
>> *:staff_u:s0
>> or
>> sshd:guest_u:s0
>> login:staff_u:so-s0:c0-c1023
>> xdm:user_u:so
>>
>> I don not currently intend this to be edited by a human, the goal was to
>> allow tools like IPA or other scripting tools to populate these files.
>> The library should return the content as it does, but libselinux or
>> pam_selinux should deny login if the machine is in enforcing mode. The
>> fact that it is giving you a bogus login is a bug in current SELinux.
>>>>>
>>>> The : separated list matches seusers and /etc/passwd so I think it
>>>> makes
>>>> sense. THe file should require all three fields, that is a bug.
>>>>
>>>
>
> Patch merged in libselinux 2.0.84.
>

Even though I merged this I'm a little concerned about how fragile it is. For 
example, I added:

sshd:staff_u:SystemLow

to /etc/selinux/targeted/logins/root

and when I rebooted and logged in I was unconfined_u. The problem was that 
mcstrans hadn't been started. The fact that I can essentially get unconfined 
access by bringing mcstrans down somehow is _very_ concerning. Granted this only 
happens if you are using translated levels but I think that will be very common 
in practice (so that the IPA infrastructure doesn't need to know the label 
encodings of every system).

This is badness waiting to happen :\

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 07/07/2009 12:05 PM, Joshua Brindle wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> The interface is looking for something that looks like:
>>>
>>> *:staff_u:s0
>>> or
>>> sshd:guest_u:s0
>>> login:staff_u:so-s0:c0-c1023
>>> xdm:user_u:so
>>>
>>> I don not currently intend this to be edited by a human, the goal was to
>>> allow tools like IPA or other scripting tools to populate these files.
>>> The library should return the content as it does, but libselinux or
>>> pam_selinux should deny login if the machine is in enforcing mode. The
>>> fact that it is giving you a bogus login is a bug in current SELinux.
>>>>>>
>>>>> The : separated list matches seusers and /etc/passwd so I think it
>>>>> makes
>>>>> sense. THe file should require all three fields, that is a bug.
>>>>>
>>>>
>>
>> Patch merged in libselinux 2.0.84.
>>
>
> Even though I merged this I'm a little concerned about how fragile it
> is. For example, I added:
>
> sshd:staff_u:SystemLow
>
> to /etc/selinux/targeted/logins/root
>
> and when I rebooted and logged in I was unconfined_u. The problem was
> that mcstrans hadn't been started. The fact that I can essentially get
> unconfined access by bringing mcstrans down somehow is _very_
> concerning. Granted this only happens if you are using translated levels
> but I think that will be very common in practice (so that the IPA
> infrastructure doesn't need to know the label encodings of every system).
>
> This is badness waiting to happen :\
But the bug here is returning an invalid context.  We should return an 
error and not let you login.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Daniel J Walsh wrote:
> On 07/07/2009 12:05 PM, Joshua Brindle wrote:
>> Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> The interface is looking for something that looks like:
>>>>
>>>> *:staff_u:s0
>>>> or
>>>> sshd:guest_u:s0
>>>> login:staff_u:so-s0:c0-c1023
>>>> xdm:user_u:so
>>>>
>>>> I don not currently intend this to be edited by a human, the goal
>>>> was to
>>>> allow tools like IPA or other scripting tools to populate these files.
>>>> The library should return the content as it does, but libselinux or
>>>> pam_selinux should deny login if the machine is in enforcing mode. The
>>>> fact that it is giving you a bogus login is a bug in current SELinux.
>>>>>>>
>>>>>> The : separated list matches seusers and /etc/passwd so I think it
>>>>>> makes
>>>>>> sense. THe file should require all three fields, that is a bug.
>>>>>>
>>>>>
>>>
>>> Patch merged in libselinux 2.0.84.
>>>
>>
>> Even though I merged this I'm a little concerned about how fragile it
>> is. For example, I added:
>>
>> sshd:staff_u:SystemLow
>>
>> to /etc/selinux/targeted/logins/root
>>
>> and when I rebooted and logged in I was unconfined_u. The problem was
>> that mcstrans hadn't been started. The fact that I can essentially get
>> unconfined access by bringing mcstrans down somehow is _very_
>> concerning. Granted this only happens if you are using translated levels
>> but I think that will be very common in practice (so that the IPA
>> infrastructure doesn't need to know the label encodings of every system).
>>
>> This is badness waiting to happen :\
> But the bug here is returning an invalid context. We should return an
> error and not let you login.

Are you going to do this or do you need me to?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Daniel J Walsh]

On 07/07/2009 01:16 PM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> On 07/07/2009 12:05 PM, Joshua Brindle wrote:
>>> Joshua Brindle wrote:
>>>> Daniel J Walsh wrote:
>>>>> The interface is looking for something that looks like:
>>>>>
>>>>> *:staff_u:s0
>>>>> or
>>>>> sshd:guest_u:s0
>>>>> login:staff_u:so-s0:c0-c1023
>>>>> xdm:user_u:so
>>>>>
>>>>> I don not currently intend this to be edited by a human, the goal
>>>>> was to
>>>>> allow tools like IPA or other scripting tools to populate these files.
>>>>> The library should return the content as it does, but libselinux or
>>>>> pam_selinux should deny login if the machine is in enforcing mode. The
>>>>> fact that it is giving you a bogus login is a bug in current SELinux.
>>>>>>>>
>>>>>>> The : separated list matches seusers and /etc/passwd so I think it
>>>>>>> makes
>>>>>>> sense. THe file should require all three fields, that is a bug.
>>>>>>>
>>>>>>
>>>>
>>>> Patch merged in libselinux 2.0.84.
>>>>
>>>
>>> Even though I merged this I'm a little concerned about how fragile it
>>> is. For example, I added:
>>>
>>> sshd:staff_u:SystemLow
>>>
>>> to /etc/selinux/targeted/logins/root
>>>
>>> and when I rebooted and logged in I was unconfined_u. The problem was
>>> that mcstrans hadn't been started. The fact that I can essentially get
>>> unconfined access by bringing mcstrans down somehow is _very_
>>> concerning. Granted this only happens if you are using translated levels
>>> but I think that will be very common in practice (so that the IPA
>>> infrastructure doesn't need to know the label encodings of every
>>> system).
>>>
>>> This is badness waiting to happen :\
>> But the bug here is returning an invalid context. We should return an
>> error and not let you login.
>
> Are you going to do this or do you need me to?
If you set the flag

REQUIRESEUSERS=1

in /etc/selinux/config.  Does it reject the login?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: This patch add seusers support to SELinux

[Joshua Brindle]

Daniel J Walsh wrote:
> On 07/07/2009 01:16 PM, Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> On 07/07/2009 12:05 PM, Joshua Brindle wrote:
>>>> Joshua Brindle wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> The interface is looking for something that looks like:
>>>>>>
>>>>>> *:staff_u:s0
>>>>>> or
>>>>>> sshd:guest_u:s0
>>>>>> login:staff_u:so-s0:c0-c1023
>>>>>> xdm:user_u:so
>>>>>>
>>>>>> I don not currently intend this to be edited by a human, the goal
>>>>>> was to
>>>>>> allow tools like IPA or other scripting tools to populate these
>>>>>> files.
>>>>>> The library should return the content as it does, but libselinux or
>>>>>> pam_selinux should deny login if the machine is in enforcing mode.
>>>>>> The
>>>>>> fact that it is giving you a bogus login is a bug in current SELinux.
>>>>>>>>>
>>>>>>>> The : separated list matches seusers and /etc/passwd so I think it
>>>>>>>> makes
>>>>>>>> sense. THe file should require all three fields, that is a bug.
>>>>>>>>
>>>>>>>
>>>>>
>>>>> Patch merged in libselinux 2.0.84.
>>>>>
>>>>
>>>> Even though I merged this I'm a little concerned about how fragile it
>>>> is. For example, I added:
>>>>
>>>> sshd:staff_u:SystemLow
>>>>
>>>> to /etc/selinux/targeted/logins/root
>>>>
>>>> and when I rebooted and logged in I was unconfined_u. The problem was
>>>> that mcstrans hadn't been started. The fact that I can essentially get
>>>> unconfined access by bringing mcstrans down somehow is _very_
>>>> concerning. Granted this only happens if you are using translated
>>>> levels
>>>> but I think that will be very common in practice (so that the IPA
>>>> infrastructure doesn't need to know the label encodings of every
>>>> system).
>>>>
>>>> This is badness waiting to happen :\
>>> But the bug here is returning an invalid context. We should return an
>>> error and not let you login.
>>
>> Are you going to do this or do you need me to?
> If you set the flag
>
> REQUIRESEUSERS=1
>
> in /etc/selinux/config. Does it reject the login?
>

No, log in works fine, with the incorrect context.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.