[DSE-Dev] SELinux and Linux user mapping

Václav Ovsík vaclav.ovsik at i.cz
Wed Feb 6 11:51:02 UTC 2008 

Hi,

On Tue, Feb 05, 2008 at 02:47:40PM -0500, Christopher J. PeBenito wrote:
> On Tue, 2008-02-05 at 20:05 +0100, Stefan Schulze Frielinghaus wrote:
> > Since my last upgrade to refpolicy-20071214 whenever I try to login with
> > my username I'm in the default role (user).
> > 
> > $ semanage login -l
> > [...]
> > stefan	staff_u
> > 
> > But:
> > 
> > $ id
> > uid=1000(stefan) gid=1000(stefan) groups=1000(stefan)
> > context=user_u:user_r:user_t
> > 
> > I tried to login locally and remote via ssh. No AVCs are generated or
> > whatever. Did I miss something? That's really strange. Did something
> > change in the past?
> > 
> > Also other users are always logged in as user_u and not e.g. staff_u
> > (enforcing or permissive mode does not change anything).
> > I'm using Debian (testing).
> 
> I believe debian is using the openssh that has a broken configure script
> (4.7) which improperly detects getseuserbyname() (it doesnt do -lselinux
> on the compile test thus it always fails).  Debian might possibly be
> using an old pam patch that doesn't use getseuserbyname().  But these
> behavior changes wouldn't be tied to a policy change, unless you
> previously had selinux users which corresponded to your linux user and
> they were removed with the new policy.

Yes, that is right. I'm experimenting with Debian stable. Openssh in
stable 4.3p2 is ok, 4.7 from unstable fails. With pam 0.99.9 mapping
works through local login and ssh ok. I have repository with some
SELinux staff available already, but must write some instructions about
it (probably some page on wiki.debian.org?). There are packages taken
from Sid sometimes updated with newer versions (SELinux staff is taken
from upstream subversion). Some packages are simply backports from Sid.

If you want, you can try:

deb http://linux.i.cz/debian selinux-etch main

Everything is highly experimental :).
There is no refpolicy deb. The refpolicy needs changes, so I simply
takes refpolicy from subversion

http://oss.tresys.com/repos/refpolicy/trunk

Cheers
-- 
Zito

More information about the SELinux-devel mailing list