[gentoo-hardened] selinux 2006.1: semanage login has no effect - gentoo-hardened

From:	Panard <panard@×××××××.org>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] selinux 2006.1: semanage login has no effect
Date:	Sun, 03 Dec 2006 10:21:24
Message-Id:	`200612031119.16878.panard@inzenet.org`

1

Hello,

2

3

I followed the selinux 2006.1 upgrade guide.

4

5

I would like to change my user 'panard' to staff_u.

6

So I used the command

7

semanage login -a -s staff_u panard

8

9

and tried to login.

10

But, my user is still in user_u context :

11

panard@aragorn ~ $ id

12

uid=1000(panard) gid=100(users) groupes=10(wheel),16(cron),35(games),81

13

(apache),100(users),441(scanner) context=user_u:user_r:user_t

14

15

Any ideas to fix my problem?

16

17

I've upgraded with gcc-4.1.1 and glibc-2.5 (without hardened as it doesn't 

18

work)

19

20

Some output :

21

aragorn ~ # sestatus -v

22

SELinux status:                 enabled

23

SELinuxfs mount:                /selinux

24

Current mode:                   permissive

25

Mode from config file:          permissive

26

Policy version:                 20

27

Policy from config file:        strict

28

29

Process contexts:

30

Current context:                root:staff_r:staff_t

31

Init context:                   system_u:system_r:init_t

32

/sbin/agetty                    system_u:system_r:getty_t

33

/usr/sbin/sshd                  system_u:system_r:sshd_t

34

35

File contexts:

36

Controlling term:               root:object_r:staff_devpts_t

37

/sbin/init                      system_u:object_r:init_exec_t

38

/sbin/agetty                    system_u:object_r:getty_exec_t

39

/bin/login                      system_u:object_r:login_exec_t

40

/sbin/rc                        system_u:object_r:initrc_exec_t

41

/sbin/runscript.sh              system_u:object_r:initrc_exec_t

42

/usr/sbin/sshd                  system_u:object_r:sshd_exec_t

43

/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t

44

/etc/passwd                     system_u:object_r:etc_t

45

/etc/shadow                     system_u:object_r:shadow_t

46

/bin/sh                         system_u:object_r:bin_t -> 

47

system_u:object_r:shell_exec_t

48

/bin/bash                       system_u:object_r:shell_exec_t

49

/usr/bin/newrole                system_u:object_r:newrole_exec_t

50

/lib/libc.so.6                  system_u:object_r:lib_t -> 

51

system_u:object_r:shlib_t

52

/lib/ld-linux.so.2              system_u:object_r:lib_t -> 

53

system_u:object_r:ld_so_t

54

55

aragorn ~ # semanage user -l

56

SELinux User    SELinux Roles

57

58

root            sysadm_r staff_r

59

staff_u         sysadm_r staff_r

60

sysadm_u        sysadm_r

61

system_u        system_r

62

user_u          user_r

63

aragorn ~ # semanage login -l

64

65

Login Name                SELinux User

66

67

__default__               user_u

68

panard                    staff_u

69

root                      root

70

71

72

Thanks,

73

74

Panard

75

--

76

HomePage: http://dev.inzenet.org/~panard/

77

Yzis : http://www.yzis.org

78

Qomics : http://dev.inzenet.org/~panard/qomics

79

Smileys : http://smileys.inzenet.org

80

--

81

gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened

Replies

1	Hello,
2
3	I followed the selinux 2006.1 upgrade guide.
4
5	I would like to change my user 'panard' to staff_u.
6	So I used the command
7	semanage login -a -s staff_u panard
8
9	and tried to login.
10	But, my user is still in user_u context :
11	panard@aragorn ~ $ id
12	uid=1000(panard) gid=100(users) groupes=10(wheel),16(cron),35(games),81
13	(apache),100(users),441(scanner) context=user_u:user_r:user_t
14
15	Any ideas to fix my problem?
16
17	I've upgraded with gcc-4.1.1 and glibc-2.5 (without hardened as it doesn't
18	work)
19
20	Some output :
21	aragorn ~ # sestatus -v
22	SELinux status: enabled
23	SELinuxfs mount: /selinux
24	Current mode: permissive
25	Mode from config file: permissive
26	Policy version: 20
27	Policy from config file: strict
28
29	Process contexts:
30	Current context: root:staff_r:staff_t
31	Init context: system_u:system_r:init_t
32	/sbin/agetty system_u:system_r:getty_t
33	/usr/sbin/sshd system_u:system_r:sshd_t
34
35	File contexts:
36	Controlling term: root:object_r:staff_devpts_t
37	/sbin/init system_u:object_r:init_exec_t
38	/sbin/agetty system_u:object_r:getty_exec_t
39	/bin/login system_u:object_r:login_exec_t
40	/sbin/rc system_u:object_r:initrc_exec_t
41	/sbin/runscript.sh system_u:object_r:initrc_exec_t
42	/usr/sbin/sshd system_u:object_r:sshd_exec_t
43	/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
44	/etc/passwd system_u:object_r:etc_t
45	/etc/shadow system_u:object_r:shadow_t
46	/bin/sh system_u:object_r:bin_t ->
47	system_u:object_r:shell_exec_t
48	/bin/bash system_u:object_r:shell_exec_t
49	/usr/bin/newrole system_u:object_r:newrole_exec_t
50	/lib/libc.so.6 system_u:object_r:lib_t ->
51	system_u:object_r:shlib_t
52	/lib/ld-linux.so.2 system_u:object_r:lib_t ->
53	system_u:object_r:ld_so_t
54
55	aragorn ~ # semanage user -l
56	SELinux User SELinux Roles
57
58	root sysadm_r staff_r
59	staff_u sysadm_r staff_r
60	sysadm_u sysadm_r
61	system_u system_r
62	user_u user_r
63	aragorn ~ # semanage login -l
64
65	Login Name SELinux User
66
67	__default__ user_u
68	panard staff_u
69	root root
70
71
72	Thanks,
73
74	Panard
75	--
76	HomePage: http://dev.inzenet.org/~panard/
77	Yzis : http://www.yzis.org
78	Qomics : http://dev.inzenet.org/~panard/qomics
79	Smileys : http://smileys.inzenet.org
80	--
81	gentoo-hardened@g.o mailing list