changing of sulogin for SELinux roles? - selinux - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

changing of sulogin for SELinux roles?

Problem after installing...

Anyone in the Boston area tonight...

Bill Nottingham

Wednesday, 21 September 2005 Wed, 21 Sep '05

3:13 p.m.

There's an open bug for changing sulogin to handle multiple accounts with uid 0. Wouldn't it also be useful to change it to check roles as well (for strict policy)? Bill

Reply

Show replies by date

Stephen Smalley

Wednesday, 21 September Wed, 21 Sep

3:26 p.m.

On Wed, 2005-09-21 at 16:13 -0400, Bill Nottingham wrote:

There's an open bug for changing sulogin to handle multiple accounts with uid 0. Wouldn't it also be useful to change it to check roles as well (for strict policy)?

Can you elaborate a little, or point to the bugzilla entry? It presently just uses the default context for "root" from sulogin's domain, where the default can be altered via the default_contexts configuration. Were you thinking of having it allow the user to select a context if multiple contexts are returned like pam_selinux does? -- Stephen Smalley National Security Agency

Reply

Bill Nottingham

3:32 p.m.

Stephen Smalley (sds(a)tycho.nsa.gov) said:

On Wed, 2005-09-21 at 16:13 -0400, Bill Nottingham wrote: > There's an open bug for changing sulogin to handle multiple > accounts with uid 0. Wouldn't it also be useful to change > it to check roles as well (for strict policy)? Can you elaborate a little, or point to the bugzilla entry?

135154/168982. Basically, it currently only authenticates as 'root', while the suggestion was to allow it to authenticate as any user who has uid 0, even if that's not 'root'.

It presently just uses the default context for "root" from sulogin's domain, where the default can be altered via the default_contexts configuration. Were you thinking of having it allow the user to select a context if multiple contexts are returned like pam_selinux does?

That's one option. What I initially thought was that, if you have multiple users who are sysadm_r (or whatever), that it would allow you to authenticate as any of them. Bill

Reply

Stephen Smalley

3:33 p.m.

On Wed, 2005-09-21 at 16:32 -0400, Bill Nottingham wrote:

135154/168982. Basically, it currently only authenticates as 'root', while the suggestion was to allow it to authenticate as any user who has uid 0, even if that's not 'root'.

Ok, so the get_ordered_context_list() call would then take the username they chose instead of always being "root", I suppose. They would then need to define that user in policy and authorize them for sysadm_r (or comparable role) to make it work cleanly.

That's one option. What I initially thought was that, if you have multiple users who are sysadm_r (or whatever), that it would allow you to authenticate as any of them.

Ah, I see. We don't have a good interface yet to allow sulogin to get such a list of users with a particular role, although the ongoing libsepol/libsemanage work by Ivan should help there. -- Stephen Smalley National Security Agency

Reply

6791

days inactive

6791

days old

selinux@lists.fedoraproject.org

Manage subscription

3 comments

2 participants

tags (0)

participants (2)

Bill Nottingham
Stephen Smalley