problems switching between roles (newrole)
Christopher J. PeBenito
cpebenito at tresys.com
Mon May 7 19:33:16 UTC 2007
On Mon, 2007-05-07 at 15:03 -0400, Philip Tricca wrote:
> Hello List,
>
> Question about managing roles: I'm trying to setup my user to have
> access to both the unprivileged user_r role and the administrative role
> sysadm_r. My system is FC6 using the latest policy from yum:
[...]
> I've created new SELinux user:
> semanage user -a -R sysadm_r -R user_r -P user MyUser_u
>
> I've associated a Linux user with my SELinux user:
> semanage login -a -s MyUser_u MyUser
>
> When I login with my new user I see ...
>
> <shell>
> [MyUser at test ~]$ id -Z
> MyUser_u:user_r:user_t
> [MyUser at test ~]$ newrole -r sysadm_r -t sysadm_t
> Authenticating MyUser.
> Password:
> failed to exec shell
> : Permission denied
> [MyUser at test ~]$
> </shell>
>
> The initial role is user_r which I like. But when MyUser attempts to
> change to the new role (sysadm_r through use of newrole)... they cannot.
>
> <avc>
> type=AVC msg=audit(1178544785.335:2418): avc: denied { transition }
> for pid=13798 comm="newrole" name="bash" dev=hda3 ino=162298
> scontex=MyUser_u:user_r:newrole_t:s0
> tcontext=MyUser_u:sysadm_r:sysadm_t:s0 tclass=process
> </avc>
[...]
> A similar problem seems to arise when associating Linux users with
> user_r, staff_r and sysadm_r. The user will login with the default
> staff_r, will be able to newrole up to the sysadm_r role, but cannot
> change their role to user_r through similar means (newrole -r user_r -t
> user_t).
Allowed role changes are defined in the policy, and the stock policy
does not allow a change of staff_r <-> user_r or user_r -> sysadm_r.
> I'd assume it's a fairly standard practice to make an SELinux user with
> the user_r and sysadm_r roles
No, user_r is for generic unprivileged users. If you want an
unprivileged user that can change to the sysadm_r, you should be using
staff_r instead of user_r. User_r and staff_r basically have the same
rules except staff_r can change to sysadm_r, where user_r can't.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the selinux
mailing list