I have a hardened selinux pic system using nss_ldap and pam_krb5 for user registration. If I login using a user that is not in the passwd file (thus in ldap/kerberos) I can not use the newrole command. If I add the following rules, it does work: #newrole / nss ldap allow newrole_t home_root_t:dir search; allow newrole_t nscd_var_run_t:dir search; allow newrole_t user_home_dir_t:dir search; allow system_chkpwd_t nscd_var_run_t:dir search; allow system_chkpwd_t staff_devpts_t:chr_file { read write }; If I run ssh I get: You don't exist, go away! I have to add the following rules: #ssh / nss ldap allow staff_ssh_t ldap_port_t:tcp_socket name_connect; allow user_ssh_t ldap_port_t:tcp_socket name_connect; Also passwd needs the following rules to be abel to update kerberos passwords. #passwd can_network_server(passwd_t) can_kerberos(passwd_t) allow passwd_t self:netlink_route_socket { read nlmsg_read write getattr bind create }; allow passwd_t sysctl_kernel_t:dir search; allow passwd_t sysctl_kernel_t:file read; allow passwd_t self:tcp_socket connect; can_ldap(passwd_t) I need this functionality because I'm working on a heimdal/ldap/krb5 selinux policy, wich I will post later when it's ready. Portage 2.0.54 (selinux/2005.1/x86, gcc-3.4.5, glibc-2.3.5-r3, 2.6.14-hardened-r6 i686) ================================================================= System uname: 2.6.14-hardened-r6 i686 Celeron (Coppermine) Gentoo Base System version 1.6.14 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium3 -O3 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium3 -O3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks loadpolicy sandbox selinux sfperms strict" GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo/" LINGUAS="nl en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="apache2 bash-completion berkdb bzip2 bzlib caps crypt expat ftp gd gdbm gif gpm hardened imap ipv6 java jikes jpeg kerberos ldap logrotate maildir mime mmx ncurses nls pam pcre perl pic png posix postgres python readline sasl selinux sockets ssl symlink sysfs tcpd threads udev usb vhosts x86 zlib linguas_nl linguas_en userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTDIR_OVERLAY
please keep in mind that the current Gentoo selinux policies are in a frozen state, and will be replaced by reference policy modules in the near future. see http://serefpolicy.sourceforge.net/ for details
(In reply to comment #1) > please keep in mind that the current Gentoo selinux policies are in a frozen > state, and will be replaced by reference policy modules in the near future. > > see http://serefpolicy.sourceforge.net/ for details > I noticed that, but I run this as a graduation project. And I have to graduate early this summer... I tried to get some answers at the gentoo-hardend list in how much the policy rules wil differ. But I had no luck getting awnsers. My tought was the program rules looked very alike, and needed little addoption. But now I see they totaly restructured and rewritten everything. I also can not find any documentation on how this new policy wil work on a current gentoo release in it's current state, onley on fedora. I do not have time to switch distro. So what should I do?
Created attachment 88007 [details] Heimdal te SELinux file Here is my heimdal with ldap policy. File context will follow.
Created attachment 88008 [details] Heimdal fc SELinux file
Created attachment 88010 [details] Heimdal te SELinux macro file Macro for heimal with ldap policy Add macro to base_user_domain macro in macro/mase_user_macros.te #create heimdal user domain ifdef(`heimdal-LDAP.te', `krb5cc_domain($1)')
Additional comment: This policy has a custom krb5cc file location in /var/heimdal/krb5cc, because otherwise the tmp domain will be used, wich will not work. For example, if the pam_krb5 module creates the krb5cc it will be labled login_tmp_t, and then afterwards users can't read there own credentials.
please rebase to 2007.1 reference policy if this is still a concern, otherwise this should be closed.
Never was rebased for reference policy.