Gentoo Archives: gentoo-hardened

From: julien.thomas@×××××××××××××.fr
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] semanage - ldap problem ?
Date: Tue, 31 Jul 2007 09:45:41
Message-Id: 20070731114348.ping2qxdcsss8kwk@webmail.enst-bretagne.fr
1 Hi.
2 An a test implementation of SeLinux, I've tried to
3 create a special account, admin, which should have right over the different
4 severs of our tests.
5
6 After classical configurations, I've tested the SeLinux part and I
7 have problem with the semanage tool or at least the linux user mapping
8 for this account,
9 managed by pam-ldap :
10
11 I want to give this account a sysadmin role so a mapping to sysadm_u with
12
13 semanage login -a -s sysadm_u admin
14
15 which result in the messages file by
16 Jul 31 11:09:53 mv4 python: Successful: modify selinux user mapping
17 name=admin
18 sename=sysadm_u old_sename=sysadm_u
19
20
21 mv4 ~ # semanage login -l
22
23 Login Name SELinux User
24
25 __default__ user_u
26 admin sysadm_u
27 root root
28 system_u system_u
29
30 mv4 ~ # semanage user -l
31 SELinux User SELinux Roles
32
33 root sysadm_r staff_r
34 staff_u sysadm_r staff_r
35 sysadm_u sysadm_r
36 system_u system_r
37 user_u user_r
38
39 However, when I open a ssh connexion on the server, with this admin
40 account, I still have a user_u:: context and, quite obviously a
41 newrole -r sysadm_r is refused.
42
43
44 admin@mv1 ~ $ secon
45 user: user_u
46 role: user_r
47 type: user_t
48 sensitivity:
49 clearance:
50 mls-range:
51
52 However, with a direct identification on the server, I do not have any problem
53
54
55 May be the problem is similar to the fact that upon connecting on the
56 server directly with the root account, I have a context confirmation
57 to perform while with a ssh connexion, the context is set to staff_r ?
58
59 I also have to precised that the seLinux context (sestatus -v) match
60 the default context, as checked in the section "Trouble Logging in
61 remotely"
62
63 Thanks for your help
64
65 Julien Thomas
66
67
68
69 --
70 gentoo-hardened@g.o mailing list

Replies

Subject Author
Re: [gentoo-hardened] semanage - ldap problem ? Chris PeBenito <pebenito@g.o>