On Tue, 2005-07-12 at 20:15 +0530, Preeti Malakar wrote:
user_u is a generic user identity for Linux users who have no
SELinux user identity defined
why is user_u authorized for roles sysadm_r and system_r
why is the user_r allowed to make a transition to sysadm_r and
system_r ( as in rbac file)
- Which release of Fedora Core (2, 3, 4)?
cat /etc/redhat-release
- Which policy (targeted, strict)?
grep ^SELINUXTYPE /etc/selinux/config
- Which version of policy?
rpm -q selinux-policy-targeted
or
rpm -q selinux-policy-strict
Under targeted policy, users are not confined, only specific daemons are
confined. The user/role support is effectively unused, and only TE is
used to confine daemons based on allowed domain transitions. The same
basic set of users and roles from the strict policy are defined for
security context compatibility, but they are not used for enforcement
and are not restricted.
Under strict policy, users are confined (along with daemons and some
user programs), and user_u should only be authorized for user_r. user_r
may be allowed to transition to sysadm_r (via su/sudo/userhelper if the
user knows the root password) if the user_canbe_sysadm tunable is
enabled; otherwise, you have to explicitly add users and authorize them
for staff_r.
--
Stephen Smalley
National Security Agency