newrole using SELinux user identity for password lookups

[Stephen Smalley]

On Wed, 2004-04-21 at 15:02, Colin Walters wrote:
> The user_canbe_sysadm tunable is on by default, but the user can't use
> newrole to get to that role - only su.
> 
> So how to fix this bug?  I understand the reason we're using the SELinux
> user identity - SELinux doesn't want to trust the Linux uid.  But
> perhaps it would be good if we had a way to say that for particular
> SELinux user identities like user_u, newrole could just use the Linux
> uid for authentication.

The only purpose of the newrole re-authentication is to force a user
interaction to verify user intent prior to a role change, as opposed to
some malicious code that happens to be run by the user being able to
change roles without the user's awareness.  The policy governs who can
enter the role, not the newrole program.  Anything could be substituted
for the re-authentication, as long as it provides some confidence of
user confirmation and is not easily spoofed by malicious code.  Long
term, the right solution is to use a trusted path mechanism once one
becomes available in Linux.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency