Gentoo Archives: gentoo-security

From: fisch <fisch@××××××××××××.de>
To: Chris PeBenito <pebenito@g.o>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] SELinux and user-crontab
Date: Thu, 15 Jan 2004 11:30:16
Message-Id: 1074165933.21936.13.camel@pau
In Reply to: Re: [gentoo-security] SELinux and user-crontab by Chris PeBenito
1 On Wed, 2004-01-14 at 20:19, Chris PeBenito wrote:
2 > On Wed, 2004-01-14 at 06:54, fisch wrote:
3 > > and added the user bob to the staff role, to allow login vi ssh
4 > > user bob roles { staff_r }; -> in /etc/security/selinux/src/policy/users
5 > > ok, that works.
6 >
7 > Normal users should be user_r. If they're going to be able to use
8 > sysadm_r, they should be staff_r instead of user_r.
9 >
10 > > I have two problems:
11 > > a) after reboot, user bob can't login via ssh until I do a "rlpkg
12 > > openssh"
13 >
14 > Theres two things that need to happend for sshd to work right. The
15 > binary has to be labeled correctly, which should have been taken care of
16 > by rlpkg.
17
18 ok - that's done
19
20 > Then either you have it automatically start up at boot, or
21 > manually start it using run_init. If sshd isn't in the right context,
22 > then people will not be able to log in.
23
24 I start ssh at boot (rc-update add sshd default) - is that the problem?
25
26 > > b) user bob can't create a crontab for themself
27 > > what I have to do?
28 >
29 > Not sure about this one. I can reproduce this, so I'll investigate
30 > further.
31
32 my /usr/bin/crontab:
33 -rwsr-x--- root cron system_u:object_r:crontab_exec_t crontab
34
35 my user bob:
36 uid=1001(bob) gid=408(cms) groups=408(cms),100(users)
37 context=bob:user_r:user_t
38
39 my /etc/security/selinux/src/policy/users:
40 user system_u roles system_r;
41 user user_u roles user_r;
42 user root roles { staff_r sysadm_r portage_r };
43 user bob roles { user_r };
44
45 is there a cron-role which I can add to user bob?
46
47 bye
48 fisch
49
50 --
51 fisch <fisch@××××××××××××.de>
52
53
54 --
55 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] SELinux and user-crontab Chris PeBenito <pebenito@g.o>