user_u identity

[Stephen Smalley]

On Tue, 2005-07-12 at 20:15 +0530, Preeti Malakar wrote:
>     user_u is a generic user identity for Linux users who have no
> SELinux user identity defined
> why is user_u authorized for roles sysadm_r and system_r 
> why is the user_r allowed to make a transition to sysadm_r and
> system_r ( as in rbac file)

- Which release of Fedora Core (2, 3, 4)? 
cat /etc/redhat-release  
- Which policy (targeted, strict)?
grep ^SELINUXTYPE /etc/selinux/config
- Which version of policy?
rpm -q selinux-policy-targeted
or 
rpm -q selinux-policy-strict

Under targeted policy, users are not confined, only specific daemons are
confined.  The user/role support is effectively unused, and only TE is
used to confine daemons based on allowed domain transitions.  The same
basic set of users and roles from the strict policy are defined for
security context compatibility, but they are not used for enforcement
and are not restricted.

Under strict policy, users are confined (along with daemons and some
user programs), and user_u should only be authorized for user_r.  user_r
may be allowed to transition to sysadm_r (via su/sudo/userhelper if the
user knows the root password) if the user_canbe_sysadm tunable is
enabled; otherwise, you have to explicitly add users and authorize them
for staff_r.

-- 
Stephen Smalley
National Security Agency