On Monday 12 April 2004 13:06, Russell Coker wrote:
On Tue, 13 Apr 2004 00:44, Gene Czarcinski <gene(a)czarc.net>
wrote:
> The following is a mixed bag of comments/questions related to SElinux...
>
> 1. I noticed that when I login as root from a VT I get the choice of 3
> different roles (staff_r, sysadm_r, and system_r) but when I login as a
> sysadm_r user and then "su -" to root, I only get two roles (staff_r and
> sysadm_r). Whe the difference? Better still, is this intentional?
The fact that you are offered system_r is a bug. Being offered the other
two is OK, but you can turn this off by removing the "multiple" option from
pam_selinux.so in the pam.d file.
OK, I will file a bugzilla report against policy (unless you suggest something
else).
[snip]
> 3. In the /etc/security/selinux/src/policy/users file there are
two
> examples of defining a user having sysadm_r:
>
> # sample for administrative user
> #user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', \
> `system_r') };
>
> # sample for regular user
> #user jdoe roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r')
> };
>
> Which one is the "right" one to use?
jdoe is a regular user, jadmin is an administrative user. Which one you
use for an account depends on whether they are a regular user or an admin.
I saw little difference in the capabilities. When I login from gdm, the
administrative user's role is sysadm_4. When I login from gdm, the "regular
user's" role is user_r but I can change to sysadm_r with the newrole command.
The "role" I am seeing is the result of running "id -Z" in a terminal
window.
As a regular user (e.g., jdoe), I can run things like system-config-users by
entering jdoe's password ... the same thing I have to do when I login as the
administrative user (e.g., jadmin).
I am also wonder what role is being used for most programs if I login as the
adminstrative user. Aren't these running with sysadm_r. If so, it appears
to me that the "safer" way is to use the"jdoe style" since it seems to
provide the same capabilities but defaults to user_r.
This leads to another question: just what capabilities does sysadm_r have if I
am running it as the default?
Also, if I ssh in (as admin user for example), I get exactly the same role
that I get when I login from gdm.
> 4. In the above, I notice that if I login from gdm I get sysadm_r in the
> first case and user_r in the second case. However, if I login from a VT,
> the default role is sysadm_r in both cases. Is this operating correctly?
> Why the difference? It seems to me that the correct operation should be
> the same in both cases.
See /etc/security/default_contexts .
I am not sure I see what this means (the contents of the file that is). The
implication I see is that I should not be able to ssh in with sysadm_r but I
do (see above).
[snip]
> 6. Is there some command that will list the roles available for
a user?
The users file will contain the list, it should be possible to get the list
from the kernel as well.
And the command to display the roles is ...?
[snip]
> 10. Is there any documentation planned (but maybe not in FC2)
which will
> make recommendations on how to lock a system down using the tunable.te
> file?
Yes, we will have to do that.
This is going to be a must for a lot of individuals. They will need to see
hoiw to lock things down (and a bit of why) in order to see why seliniux is a
good thing. I also believe this needs to be rather cookbookish so that folks
do not have to work too hard to get some benefit. Otherwise a log of folks
will be inclined to run selinux (witness the discussion on this list and
others about what the default will be for FC2 final).
Gene