Gentoo Archives: gentoo-security

From: fisch <fisch@××××××××××××.de>
To: Chris PeBenito <pebenito@g.o>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] SELinux and user-crontab
Date: Thu, 15 Jan 2004 11:30:16
Message-Id: 1074165933.21936.13.camel@pau
In Reply to: Re: [gentoo-security] SELinux and user-crontab by Chris PeBenito
On Wed, 2004-01-14 at 20:19, Chris PeBenito wrote:
> On Wed, 2004-01-14 at 06:54, fisch wrote: > > and added the user bob to the staff role, to allow login vi ssh > > user bob roles { staff_r }; -> in /etc/security/selinux/src/policy/users > > ok, that works. > > Normal users should be user_r. If they're going to be able to use > sysadm_r, they should be staff_r instead of user_r. > > > I have two problems: > > a) after reboot, user bob can't login via ssh until I do a "rlpkg > > openssh" > > Theres two things that need to happend for sshd to work right. The > binary has to be labeled correctly, which should have been taken care of > by rlpkg.
ok - that's done
> Then either you have it automatically start up at boot, or > manually start it using run_init. If sshd isn't in the right context, > then people will not be able to log in.
I start ssh at boot (rc-update add sshd default) - is that the problem?
> > b) user bob can't create a crontab for themself > > what I have to do? > > Not sure about this one. I can reproduce this, so I'll investigate > further.
my /usr/bin/crontab: -rwsr-x--- root cron system_u:object_r:crontab_exec_t crontab my user bob: uid=1001(bob) gid=408(cms) groups=408(cms),100(users) context=bob:user_r:user_t my /etc/security/selinux/src/policy/users: user system_u roles system_r; user user_u roles user_r; user root roles { staff_r sysadm_r portage_r }; user bob roles { user_r }; is there a cron-role which I can add to user bob? bye fisch -- fisch <fisch@××××××××××××.de> -- gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] SELinux and user-crontab Chris PeBenito <pebenito@g.o>