Bug 444974 - SELinux policy module does not have effect
SELinux policy module does not have effect
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
low Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Depends On:
  Show dependency treegraph
Reported: 2008-05-02 10:35 EDT by Ioannis Aslanidis
Modified: 2010-11-29 13:19 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-11-29 13:19:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Policy module (4.48 KB, application/octet-stream)
2008-05-02 10:35 EDT, Ioannis Aslanidis
no flags Details

  None (edit)
Description Ioannis Aslanidis 2008-05-02 10:35:04 EDT
Description of problem:

In RHEL 5.1, I have created a module for SELinux so that users can only see
their own homes and cannot list the contents of the /home directory.
Additionally they are restricted to run only a small set of commands. It is
based on the current guest module. I am using targeted policy and have it
enabled and set to enforcing on the configuration file, but it does not work:
the policy module simply does not seem to work.

Additionally, I have tried with Multi Category Security and Multi Level Security
to do the same thing, but still to no avail... it does not work, users are able
to access the whole system without restrictions.

I have used the exact same module on fedora core 8 and it works, however on fc8
SELinux is version 2.6.x while in RHEL 5.1 SELinux is version 2.4.x.

The module compiles and gets loaded on both platforms, but once applied,
restrictions only work on fc8.

Is there any problem in RHEL with that module or am I doing anything wrong?

Is there an easier way to restrict users so that they cannot see enter nor see
the homes of other users, neither list /home?

Version-Release number of selected component (if applicable): SELinux 2.4.x

How reproducible: Always

Steps to Reproduce:
1. Create a policy module
2. Compile the module
3. Load the module
4. Create a user and apply the policy module to the user
Actual results: The policy seems to have no effect at all.

Expected results: The policy should be working and users should not be able to
list /home, neither see the homes of other users.
Comment 1 Ioannis Aslanidis 2008-05-02 10:35:04 EDT
Created attachment 304386 [details]
Policy module
Comment 2 Daniel Walsh 2008-05-05 14:21:38 EDT
How do you have semanage configured?

You need to add a syncguest user account and then map an Login user to the
syncguest account.  You also need to create a
/etc/selinux/targeted/contexts/users/synguest_u file.
Comment 3 Ioannis Aslanidis 2008-05-06 04:57:13 EDT
I did as explained in the manuals. As I have said before, the same configuration
works on fc8 (that implies that I followed the same steps on both systems).

# semanager user -a -R syncguest_r -P user -L s0 -r s0-s0 syncguest_u
# semanage login -a -s syncguest_u syncguest

Are you sure that /etc/selinux/targeted/contexts/users/synguest_u is really
needed when creating a module? It does not exist on fc8 and it still works...
Comment 4 Daniel Walsh 2008-05-06 17:19:10 EDT
Well Fedora 8 is perhaps a little more friendly to this policy...

When you login as synguest what does id -Z show?
Comment 5 Ioannis Aslanidis 2008-05-07 11:34:04 EDT
You got a point there, I do not understand why it is not assigned correctly:

[setest@sync01 ~]$ id -Z

Got any clues?

# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               user_u                    s0                       
root                      root                      s0-s0:c0.c1023           
setest                    syncguest_u               s0                       
Comment 6 Daniel Walsh 2008-05-22 14:44:05 EDT
semanage user -l
Comment 7 Ioannis Aslanidis 2008-05-27 13:52:51 EDT
There it goes:

semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

root            user       s0         s0-s0:c0.c1023                 system_r
sysadm_r user_r
syncguest_u     user       s0         s0                             syncguest_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
user_u          user       s0         s0-s0:c0.c1023                 system_r
sysadm_r user_r

Note You need to log in before you can comment on or make changes to this bug.