Red Hat Bugzilla – Bug 444974
SELinux policy module does not have effect
Last modified: 2010-11-29 13:19:26 EST
Description of problem:
In RHEL 5.1, I have created a module for SELinux so that users can only see
their own homes and cannot list the contents of the /home directory.
Additionally they are restricted to run only a small set of commands. It is
based on the current guest module. I am using targeted policy and have it
enabled and set to enforcing on the configuration file, but it does not work:
the policy module simply does not seem to work.
Additionally, I have tried with Multi Category Security and Multi Level Security
to do the same thing, but still to no avail... it does not work, users are able
to access the whole system without restrictions.
I have used the exact same module on fedora core 8 and it works, however on fc8
SELinux is version 2.6.x while in RHEL 5.1 SELinux is version 2.4.x.
The module compiles and gets loaded on both platforms, but once applied,
restrictions only work on fc8.
Is there any problem in RHEL with that module or am I doing anything wrong?
Is there an easier way to restrict users so that they cannot see enter nor see
the homes of other users, neither list /home?
Version-Release number of selected component (if applicable): SELinux 2.4.x
How reproducible: Always
Steps to Reproduce:
1. Create a policy module
2. Compile the module
3. Load the module
4. Create a user and apply the policy module to the user
Actual results: The policy seems to have no effect at all.
Expected results: The policy should be working and users should not be able to
list /home, neither see the homes of other users.
Created attachment 304386 [details]
How do you have semanage configured?
You need to add a syncguest user account and then map an Login user to the
syncguest account. You also need to create a
I did as explained in the manuals. As I have said before, the same configuration
works on fc8 (that implies that I followed the same steps on both systems).
# semanager user -a -R syncguest_r -P user -L s0 -r s0-s0 syncguest_u
# semanage login -a -s syncguest_u syncguest
Are you sure that /etc/selinux/targeted/contexts/users/synguest_u is really
needed when creating a module? It does not exist on fc8 and it still works...
Well Fedora 8 is perhaps a little more friendly to this policy...
When you login as synguest what does id -Z show?
You got a point there, I do not understand why it is not assigned correctly:
[setest@sync01 ~]$ id -Z
Got any clues?
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root s0-s0:c0.c1023
setest syncguest_u s0
semanage user -l
There it goes:
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 s0-s0:c0.c1023 system_r
syncguest_u user s0 s0 syncguest_r
system_u user s0 s0-s0:c0.c1023 system_r
user_u user s0 s0-s0:c0.c1023 system_r