Re: Some questions relating to selinux

[Gene Czarcinski <gene czarc net>]

On Monday 12 April 2004 13:06, Russell Coker wrote:
> On Tue, 13 Apr 2004 00:44, Gene Czarcinski <gene czarc net> wrote:
> > The following is a mixed bag of comments/questions related to SElinux...
> >
> > 1. I noticed that when I login as root from a VT I get the choice of 3
> > different roles (staff_r, sysadm_r, and system_r) but when I login as a
> > sysadm_r user and then "su -" to root, I only get two roles (staff_r and
> > sysadm_r).  Whe the difference?  Better still, is this intentional?
>
> The fact that you are offered system_r is a bug.  Being offered the other
> two is OK, but you can turn this off by removing the "multiple" option from
> pam_selinux.so in the pam.d file.

OK, I will file a bugzilla report against policy (unless you suggest something 
else).

[snip]
> > 3. In the /etc/security/selinux/src/policy/users file there are two
> > examples of defining a user having sysadm_r:
> >
> > # sample for administrative user
> > #user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', \
> > `system_r') };
> >
> > # sample for regular user
> > #user jdoe roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r')
> > };
> >
> > Which one is the "right" one to use?
>
> jdoe is a regular user, jadmin is an administrative user.  Which one you
> use for an account depends on whether they are a regular user or an admin.

I saw little difference in the capabilities.  When I login from gdm, the 
administrative user's role is sysadm_4.  When I login from gdm, the "regular 
user's" role is user_r but I can change to sysadm_r with the newrole command.  
The "role" I am seeing is the result of running "id -Z" in a terminal window.  
As a regular user (e.g., jdoe), I can run things like system-config-users by 
entering jdoe's password ... the same thing I have to do when I login as the 
administrative user (e.g., jadmin).

I am also wonder what role is being used for most programs if I login as the 
adminstrative user.  Aren't these running with sysadm_r.  If so, it appears 
to me that the "safer" way is to use the"jdoe style" since it seems to 
provide the same capabilities but defaults to user_r.

This leads to another question: just what capabilities does sysadm_r have if I 
am running it as the default?

Also, if I ssh in (as admin user for example), I get exactly the same role 
that I get when I login from gdm.

>
> > 4.  In the above, I notice that if I login from gdm I get sysadm_r in the
> > first case and user_r in the second case.  However, if I login from a VT,
> > the default role is sysadm_r in both cases.  Is this operating correctly?
> > Why the difference?  It seems to me that the correct operation should be
> > the same in both cases.
>
> See /etc/security/default_contexts .

I am not sure I see what this means (the contents of the file that is).  The 
implication I see is that I should not be able to ssh in with sysadm_r but I 
do (see above).

[snip]
> > 6.  Is there some command that will list the roles available for a user?
>
> The users file will contain the list, it should be possible to get the list
> from the kernel as well.

And the command to display the roles is ...?

[snip]
> > 10. Is there any documentation planned (but maybe not in FC2) which will
> > make recommendations on how to lock a system down using the tunable.te
> > file?
>
> Yes, we will have to do that.

This is going to be a must for a lot of individuals.  They will need to see 
hoiw to lock things down (and a bit of why) in order to see why seliniux is a 
good thing.  I also believe this needs to be rather cookbookish so that folks 
do not have to work too hard to get some benefit.  Otherwise a log of folks 
will be inclined to run selinux (witness the discussion on this list and 
others about what the default will be for FC2 final).

Gene