1 |
Hi. |
2 |
An a test implementation of SeLinux, I've tried to |
3 |
create a special account, admin, which should have right over the different |
4 |
severs of our tests. |
5 |
|
6 |
After classical configurations, I've tested the SeLinux part and I |
7 |
have problem with the semanage tool or at least the linux user mapping |
8 |
for this account, |
9 |
managed by pam-ldap : |
10 |
|
11 |
I want to give this account a sysadmin role so a mapping to sysadm_u with |
12 |
|
13 |
semanage login -a -s sysadm_u admin |
14 |
|
15 |
which result in the messages file by |
16 |
Jul 31 11:09:53 mv4 python: Successful: modify selinux user mapping |
17 |
name=admin |
18 |
sename=sysadm_u old_sename=sysadm_u |
19 |
|
20 |
|
21 |
mv4 ~ # semanage login -l |
22 |
|
23 |
Login Name SELinux User |
24 |
|
25 |
__default__ user_u |
26 |
admin sysadm_u |
27 |
root root |
28 |
system_u system_u |
29 |
|
30 |
mv4 ~ # semanage user -l |
31 |
SELinux User SELinux Roles |
32 |
|
33 |
root sysadm_r staff_r |
34 |
staff_u sysadm_r staff_r |
35 |
sysadm_u sysadm_r |
36 |
system_u system_r |
37 |
user_u user_r |
38 |
|
39 |
However, when I open a ssh connexion on the server, with this admin |
40 |
account, I still have a user_u:: context and, quite obviously a |
41 |
newrole -r sysadm_r is refused. |
42 |
|
43 |
|
44 |
admin@mv1 ~ $ secon |
45 |
user: user_u |
46 |
role: user_r |
47 |
type: user_t |
48 |
sensitivity: |
49 |
clearance: |
50 |
mls-range: |
51 |
|
52 |
However, with a direct identification on the server, I do not have any problem |
53 |
|
54 |
|
55 |
May be the problem is similar to the fact that upon connecting on the |
56 |
server directly with the root account, I have a context confirmation |
57 |
to perform while with a ssh connexion, the context is set to staff_r ? |
58 |
|
59 |
I also have to precised that the seLinux context (sestatus -v) match |
60 |
the default context, as checked in the section "Trouble Logging in |
61 |
remotely" |
62 |
|
63 |
Thanks for your help |
64 |
|
65 |
Julien Thomas |
66 |
|
67 |
|
68 |
|
69 |
-- |
70 |
gentoo-hardened@g.o mailing list |