Re: Another dumb question...

[Daniel J Walsh <dwalsh redhat com>]

Jonathan Rawle wrote:

> On Fri, 02 Apr 2004 Stephen Smalley wrote:
>
>  
>
> > > Everything that I've read says that the 'su' command will change my
> > > Linux user ID but not my identity.  Here's what I see:
> > >
> > > # id -Z
> > > root:staff_r:staff_t
> > > # su fred
> > > Your default context is fred:sysadm_r:sysadm_t.
> > >
> > > Do you want to choose a different one? [n]n
> > > $ id -Z
> > > fred:sysadm_r:sysadm_t
> > >
> > > My identity changed from 'root' to 'fred'.  Bug?  That seems a pretty
> > > fundamental flaw considering that every document that I've read uses
> > > 'su' to explain the difference between a user ID and an identity.
> > >
> > > By the way, I see the same result whether I use 'su' or 'su -'.  I see
> > > the same result (a change in identity) whether I su from root to fred
> > > or from fred to root.
> > >
> > > So which one is right?  The documentation or the code?
> > >      
> > RedHat chose to integrate security context transitions into su (via
> > pam_selinux).  The NSA documentation and externally developed
> > sourceforge selinux HOWTOs/FAQs were written prior to that change.
> >    
>
> Unlike some posters here, I think SELinux is great, and I don't mean this
> to be a flame.
>
> But reading the existing documentation, I thought the idea of a SELinux
> identity being separate from the Unix user ID was that it couldn't change,
> so that it was possible to track people's activity, hold administrators to
> account, and to ensure users couldn't obtain escalating privileges.
>
> If RedHat have made the SELinux identity change with su, then it is
> identical to the Unix ID. Surely this weakens some of the security
> provided by SELinux? Hopefully someone can explain why I'm wrong!
>  
You are right.  We are designing SELinux to be used by the masses and we 
felt that
if we changed the way UNIX/Linux worked to radically people would just 
turn it off.
Or even worse go to a competitor :^(.  So we have the concept of 
tunables which should
be come more prevalent in future test versions.  This will allow admins 
to select the amount
of protection they want including turning off user_canbe_admin which 
will separate users,
from staff by policy. 

Our goal in the first release is to introduce MAC and protect the 
external facing (networked daemons).
So these will be protected by MAC.


So if you had a machine that only served web pages, you could turn off 
all the tunables, and end up with
the pretty much the policy the NSA intended.

> P.S. please can we add this list to Gmane? I read other Fedora lists
> there, but I've avoided subscribing to this one as I prefer to use a
> newsgroup interface.
>
>
> Jonathan
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>