Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SELinux default user context
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
vnd
n00b
n00b


Joined: 28 Jan 2011
Posts: 13

PostPosted: Thu Mar 21, 2013 5:18 pm    Post subject: SELinux default user context Reply with quote

Hi everyone,

I have a little problem with SELinux setup and more precisely it's about setting the right default context for system user. The story is short, I've tried to setup SELinux strict policy but because of lack of knowledge and time to write my own policies I've decided to switch to targeted one. I've changed policy type in /etc/selinux/config file and I've tried to relabel the entire filesystem using rlpkg. When I rebooted the system during logging in I've noticed message:
Code:
Would you like to enter security context? [N]

Using the default option I've end up with default context system_u:system_r:local_login_t and was unable to merge anything or change the role to sysadm_r. Next I've tried to reemerge all of the packages including: sys-libs/pam, sys-auth/pambase, sys-apps/checkpolicy, sys-apps/policycoreutils, sec-policy/selinux-base-policy and more... I've also tried to clear security context of all files and relabel the filesystem once again with no effect. The only difference was that I was able to login with context system_r:system_r:kernel_t which gave me nothing. As I remember when I've completed my previous setup of SELinux targeted system the root account has the context of unconfined_u:unconfined_r:unconfined_t and that is what I want to achieve. My /etc/pam.d/system-login is:
Code:
auth      required   pam_tally2.so onerr=succeed
auth      required   pam_shells.so
auth      required   pam_nologin.so
auth      include      system-auth

account      required   pam_access.so
account      required   pam_nologin.so
account      include      system-auth
account      required   pam_tally2.so onerr=succeed

password   include      system-auth

session      optional   pam_loginuid.so
session      required   pam_selinux.so close
session      required   pam_env.so
session      optional   pam_lastlog.so
session      required   pam_selinux.so multiple open
session      optional   pam_motd.so motd=/etc/motd
session      optional   pam_mail.so


in make.conf there is also an entry: POLICY_TYPES="targeted". The profile I use is hardened/linux/amd64/no-multilib/selinux. The system has no more than two days so a lot of things are set to default. Any help would be highly appreciated.
Back to top
View user's profile Send private message
vnd
n00b
n00b


Joined: 28 Jan 2011
Posts: 13

PostPosted: Thu Mar 21, 2013 5:41 pm    Post subject: Reply with quote

Ok... the solution was easy but maybe it will be useful for someone else: targeted policy requires sec-policy/selinux-unconfined module to work proper. Strange, it hasn't been added as a dependency to sec-policy/selinux-base-policy when switching to targeted mode.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum