Some questions relating to selinux
Gene Czarcinski
gene at czarc.net
Mon Apr 12 18:00:34 UTC 2004
On Monday 12 April 2004 13:06, Russell Coker wrote:
> On Tue, 13 Apr 2004 00:44, Gene Czarcinski <gene at czarc.net> wrote:
> > The following is a mixed bag of comments/questions related to SElinux...
> >
> > 1. I noticed that when I login as root from a VT I get the choice of 3
> > different roles (staff_r, sysadm_r, and system_r) but when I login as a
> > sysadm_r user and then "su -" to root, I only get two roles (staff_r and
> > sysadm_r). Whe the difference? Better still, is this intentional?
>
> The fact that you are offered system_r is a bug. Being offered the other
> two is OK, but you can turn this off by removing the "multiple" option from
> pam_selinux.so in the pam.d file.
OK, I will file a bugzilla report against policy (unless you suggest something
else).
[snip]
> > 3. In the /etc/security/selinux/src/policy/users file there are two
> > examples of defining a user having sysadm_r:
> >
> > # sample for administrative user
> > #user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', \
> > `system_r') };
> >
> > # sample for regular user
> > #user jdoe roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r')
> > };
> >
> > Which one is the "right" one to use?
>
> jdoe is a regular user, jadmin is an administrative user. Which one you
> use for an account depends on whether they are a regular user or an admin.
I saw little difference in the capabilities. When I login from gdm, the
administrative user's role is sysadm_4. When I login from gdm, the "regular
user's" role is user_r but I can change to sysadm_r with the newrole command.
The "role" I am seeing is the result of running "id -Z" in a terminal window.
As a regular user (e.g., jdoe), I can run things like system-config-users by
entering jdoe's password ... the same thing I have to do when I login as the
administrative user (e.g., jadmin).
I am also wonder what role is being used for most programs if I login as the
adminstrative user. Aren't these running with sysadm_r. If so, it appears
to me that the "safer" way is to use the"jdoe style" since it seems to
provide the same capabilities but defaults to user_r.
This leads to another question: just what capabilities does sysadm_r have if I
am running it as the default?
Also, if I ssh in (as admin user for example), I get exactly the same role
that I get when I login from gdm.
>
> > 4. In the above, I notice that if I login from gdm I get sysadm_r in the
> > first case and user_r in the second case. However, if I login from a VT,
> > the default role is sysadm_r in both cases. Is this operating correctly?
> > Why the difference? It seems to me that the correct operation should be
> > the same in both cases.
>
> See /etc/security/default_contexts .
I am not sure I see what this means (the contents of the file that is). The
implication I see is that I should not be able to ssh in with sysadm_r but I
do (see above).
[snip]
> > 6. Is there some command that will list the roles available for a user?
>
> The users file will contain the list, it should be possible to get the list
> from the kernel as well.
And the command to display the roles is ...?
[snip]
> > 10. Is there any documentation planned (but maybe not in FC2) which will
> > make recommendations on how to lock a system down using the tunable.te
> > file?
>
> Yes, we will have to do that.
This is going to be a must for a lot of individuals. They will need to see
hoiw to lock things down (and a bit of why) in order to see why seliniux is a
good thing. I also believe this needs to be rather cookbookish so that folks
do not have to work too hard to get some benefit. Otherwise a log of folks
will be inclined to run selinux (witness the discussion on this list and
others about what the default will be for FC2 final).
Gene
More information about the fedora-selinux-list
mailing list