On Thu, 2004-04-15 at 17:21, Gene Czarcinski wrote:
IIRC, it used to be that if I logged in from gdm as a sysadm_r user
and sysadm_r) as defined in users, I would be logged in with sysadm_r. This
appears to have changed (or my memory is faulty). The default for a sysadm_r
user is to get staff_r and must use newrole -r sysadm_r to get that. Good!
That is the way I think it should work.
Yes, I think that this was wrong earlier in default_contexts and
subsequently changed. console login might still default to sysadm_r.
The same is true for root. As far as selinux is concerned, root is
another sysadm_r user and the default role logging in from gdm is staff_r.
Is this what should be done. This will certainly be a change for most users.
When I login as root from gdm, I do not expect that I will be prompted for
root's password when I invoke system-config-users from the menu.
You can create a /root/.default_contexts file that will take precedence
over /etc/security/default_contexts for root logins. So you can still
have 'root' default to sysadm_r if desired.
I also notice that doing an "su -" to root or another
sysadm_r user will
default to sysadm_r role for that user. if it is from another sysadm_r user,
then I get a choice of sysadm_r (default) or staff_r. If it is from a user_r
user, then no choice, I just get sysadm_r.
This has to do with the allowed role transitions in the policy. The
standard policy didn't allow user_r -> sysadm_r at all; the
user_canbe_sysadm tunable introduced a user_r -> sysadm_r transition,
but did not include a user_r -> staff_r transition.
No real reason to omit it in that case.
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency