[DSE-Dev] SELinux and Linux user mapping

Stefan Schulze Frielinghaus stefan at seekline.net
Thu Feb 7 17:26:25 UTC 2008


On Wed, 2008-02-06 at 12:51 +0100, Václav Ovsík wrote:
> Hi,
> 
> On Tue, Feb 05, 2008 at 02:47:40PM -0500, Christopher J. PeBenito wrote:
> > On Tue, 2008-02-05 at 20:05 +0100, Stefan Schulze Frielinghaus wrote:
> > > Since my last upgrade to refpolicy-20071214 whenever I try to login with
> > > my username I'm in the default role (user).
> > > 
> > > $ semanage login -l
> > > [...]
> > > stefan	staff_u
> > > 
> > > But:
> > > 
> > > $ id
> > > uid=1000(stefan) gid=1000(stefan) groups=1000(stefan)
> > > context=user_u:user_r:user_t
> > > 
> > > I tried to login locally and remote via ssh. No AVCs are generated or
> > > whatever. Did I miss something? That's really strange. Did something
> > > change in the past?
> > > 
> > > Also other users are always logged in as user_u and not e.g. staff_u
> > > (enforcing or permissive mode does not change anything).
> > > I'm using Debian (testing).
> > 
> > I believe debian is using the openssh that has a broken configure script
> > (4.7) which improperly detects getseuserbyname() (it doesnt do -lselinux
> > on the compile test thus it always fails).  Debian might possibly be
> > using an old pam patch that doesn't use getseuserbyname().  But these
> > behavior changes wouldn't be tied to a policy change, unless you
> > previously had selinux users which corresponded to your linux user and
> > they were removed with the new policy.
> 
> Yes, that is right. I'm experimenting with Debian stable. Openssh in
> stable 4.3p2 is ok, 4.7 from unstable fails. With pam 0.99.9 mapping
> works through local login and ssh ok. I have repository with some
> SELinux staff available already, but must write some instructions about
> it (probably some page on wiki.debian.org?). There are packages taken
> from Sid sometimes updated with newer versions (SELinux staff is taken
> from upstream subversion). Some packages are simply backports from Sid.
> 
> If you want, you can try:
> 
> deb http://linux.i.cz/debian selinux-etch main
> 
> Everything is highly experimental :).
> There is no refpolicy deb. The refpolicy needs changes, so I simply
> takes refpolicy from subversion
> 
> http://oss.tresys.com/repos/refpolicy/trunk

Yeah the problem seems to be with pam and openssh. At the weekend I will
try another debian-stable machine including your repository.

Thanks for clarification!

-Stefan




More information about the SELinux-devel mailing list