Red Hat Bugzilla – Bug 444974
SELinux policy module does not have effect
Last modified: 2010-11-29 13:19:26 EST
Description of problem: In RHEL 5.1, I have created a module for SELinux so that users can only see their own homes and cannot list the contents of the /home directory. Additionally they are restricted to run only a small set of commands. It is based on the current guest module. I am using targeted policy and have it enabled and set to enforcing on the configuration file, but it does not work: the policy module simply does not seem to work. Additionally, I have tried with Multi Category Security and Multi Level Security to do the same thing, but still to no avail... it does not work, users are able to access the whole system without restrictions. I have used the exact same module on fedora core 8 and it works, however on fc8 SELinux is version 2.6.x while in RHEL 5.1 SELinux is version 2.4.x. The module compiles and gets loaded on both platforms, but once applied, restrictions only work on fc8. Is there any problem in RHEL with that module or am I doing anything wrong? Is there an easier way to restrict users so that they cannot see enter nor see the homes of other users, neither list /home? Version-Release number of selected component (if applicable): SELinux 2.4.x How reproducible: Always Steps to Reproduce: 1. Create a policy module 2. Compile the module 3. Load the module 4. Create a user and apply the policy module to the user Actual results: The policy seems to have no effect at all. Expected results: The policy should be working and users should not be able to list /home, neither see the homes of other users.
Created attachment 304386 [details] Policy module
How do you have semanage configured? You need to add a syncguest user account and then map an Login user to the syncguest account. You also need to create a /etc/selinux/targeted/contexts/users/synguest_u file.
I did as explained in the manuals. As I have said before, the same configuration works on fc8 (that implies that I followed the same steps on both systems). # semanager user -a -R syncguest_r -P user -L s0 -r s0-s0 syncguest_u # semanage login -a -s syncguest_u syncguest Are you sure that /etc/selinux/targeted/contexts/users/synguest_u is really needed when creating a module? It does not exist on fc8 and it still works...
Well Fedora 8 is perhaps a little more friendly to this policy... When you login as synguest what does id -Z show?
You got a point there, I do not understand why it is not assigned correctly: [setest@sync01 ~]$ id -Z user_u:system_r:unconfined_t:s0 Got any clues? # semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 root root s0-s0:c0.c1023 setest syncguest_u s0
semanage user -l
There it goes: semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root user s0 s0-s0:c0.c1023 system_r sysadm_r user_r syncguest_u user s0 s0 syncguest_r system_u user s0 s0-s0:c0.c1023 system_r user_u user s0 s0-s0:c0.c1023 system_r sysadm_r user_r