problems switching between roles (newrole)

Philip Tricca phil at noggle.biz
Mon May 7 20:04:11 UTC 2007 

Christopher J. PeBenito wrote:
> On Mon, 2007-05-07 at 15:03 -0400, Philip Tricca wrote:
>> Hello List,
>>
>> Question about managing roles:  I'm trying to setup my user to have 
>> access to both the unprivileged user_r role and the administrative role 
>> sysadm_r.  My system is FC6 using the latest policy from yum:
> [...]
>> I've created new SELinux user:
>> semanage user -a -R sysadm_r -R user_r -P user MyUser_u
>>
>> I've associated a Linux user with my SELinux user:
>> semanage login -a -s MyUser_u MyUser
>>
>> When I login with my new user I see ...
>>
>> <shell>
>> 	[MyUser at test ~]$ id -Z
>> 	MyUser_u:user_r:user_t
>> 	[MyUser at test ~]$ newrole -r sysadm_r -t sysadm_t
>> 	Authenticating MyUser.
>> 	Password:
>> 	failed to exec shell
>> 	: Permission denied
>> 	[MyUser at test ~]$
>> </shell>
>>
>> The initial role is user_r which I like.  But when MyUser attempts to 
>> change to the new role (sysadm_r through use of newrole)... they cannot.
>>
>> <avc>
>> type=AVC msg=audit(1178544785.335:2418): avc:  denied  { transition } 
>> for  pid=13798 comm="newrole" name="bash" dev=hda3 ino=162298 
>> scontex=MyUser_u:user_r:newrole_t:s0 
>> tcontext=MyUser_u:sysadm_r:sysadm_t:s0 tclass=process
>> </avc>
> [...]
>> A similar problem seems to arise when associating Linux users with 
>> user_r, staff_r and sysadm_r.  The user will login with the default 
>> staff_r, will be able to newrole up to the sysadm_r role, but cannot 
>> change their role to user_r through similar means (newrole -r user_r -t 
>> user_t).
> 
> Allowed role changes are defined in the policy, and the stock policy
> does not allow a change of staff_r <-> user_r or user_r -> sysadm_r.
> 
>> I'd assume it's a fairly standard practice to make an SELinux user with 
>> the user_r and sysadm_r roles
> 
> No, user_r is for generic unprivileged users.  If you want an
> unprivileged user that can change to the sysadm_r, you should be using
> staff_r instead of user_r.  User_r and staff_r basically have the same
> rules except staff_r can change to sysadm_r, where user_r can't.

Excellent!  I haven't ventured deep into the policy src yet, but a quick 
grep on staff_r shows everything you describe quite clearly in the 
policy/modules/system/userdomain files

After putting my user in staff_r & sysadm_r and relabeling my home dir 
everything works as expected.

Thanks,
- Philip

More information about the fedora-selinux-list mailing list