View previous topic :: View next topic |
Author |
Message |
vnd n00b
Joined: 28 Jan 2011 Posts: 19
|
Posted: Thu Mar 21, 2013 5:18 pm Post subject: SELinux default user context |
|
|
Hi everyone,
I have a little problem with SELinux setup and more precisely it's about setting the right default context for system user. The story is short, I've tried to setup SELinux strict policy but because of lack of knowledge and time to write my own policies I've decided to switch to targeted one. I've changed policy type in /etc/selinux/config file and I've tried to relabel the entire filesystem using rlpkg. When I rebooted the system during logging in I've noticed message:
Code: | Would you like to enter security context? [N] |
Using the default option I've end up with default context system_u:system_r:local_login_t and was unable to merge anything or change the role to sysadm_r. Next I've tried to reemerge all of the packages including: sys-libs/pam, sys-auth/pambase, sys-apps/checkpolicy, sys-apps/policycoreutils, sec-policy/selinux-base-policy and more... I've also tried to clear security context of all files and relabel the filesystem once again with no effect. The only difference was that I was able to login with context system_r:system_r:kernel_t which gave me nothing. As I remember when I've completed my previous setup of SELinux targeted system the root account has the context of unconfined_u:unconfined_r:unconfined_t and that is what I want to achieve. My /etc/pam.d/system-login is:
Code: | auth required pam_tally2.so onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
account required pam_tally2.so onerr=succeed
password include system-auth
session optional pam_loginuid.so
session required pam_selinux.so close
session required pam_env.so
session optional pam_lastlog.so
session required pam_selinux.so multiple open
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so |
in make.conf there is also an entry: POLICY_TYPES="targeted". The profile I use is hardened/linux/amd64/no-multilib/selinux. The system has no more than two days so a lot of things are set to default. Any help would be highly appreciated. |
|
Back to top |
|
|
vnd n00b
Joined: 28 Jan 2011 Posts: 19
|
Posted: Thu Mar 21, 2013 5:41 pm Post subject: |
|
|
Ok... the solution was easy but maybe it will be useful for someone else: targeted policy requires sec-policy/selinux-unconfined module to work proper. Strange, it hasn't been added as a dependency to sec-policy/selinux-base-policy when switching to targeted mode. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|