On Monday 12 April 2004 13:06, Russell Coker wrote: > On Tue, 13 Apr 2004 00:44, Gene Czarcinski <gene@xxxxxxxxx> wrote: > > The following is a mixed bag of comments/questions related to SElinux... > > > > 1. I noticed that when I login as root from a VT I get the choice of 3 > > different roles (staff_r, sysadm_r, and system_r) but when I login as a > > sysadm_r user and then "su -" to root, I only get two roles (staff_r and > > sysadm_r). Whe the difference? Better still, is this intentional? > > The fact that you are offered system_r is a bug. Being offered the other > two is OK, but you can turn this off by removing the "multiple" option from > pam_selinux.so in the pam.d file. OK, I will file a bugzilla report against policy (unless you suggest something else). [snip] > > 3. In the /etc/security/selinux/src/policy/users file there are two > > examples of defining a user having sysadm_r: > > > > # sample for administrative user > > #user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', \ > > `system_r') }; > > > > # sample for regular user > > #user jdoe roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r') > > }; > > > > Which one is the "right" one to use? > > jdoe is a regular user, jadmin is an administrative user. Which one you > use for an account depends on whether they are a regular user or an admin. I saw little difference in the capabilities. When I login from gdm, the administrative user's role is sysadm_4. When I login from gdm, the "regular user's" role is user_r but I can change to sysadm_r with the newrole command. The "role" I am seeing is the result of running "id -Z" in a terminal window. As a regular user (e.g., jdoe), I can run things like system-config-users by entering jdoe's password ... the same thing I have to do when I login as the administrative user (e.g., jadmin). I am also wonder what role is being used for most programs if I login as the adminstrative user. Aren't these running with sysadm_r. If so, it appears to me that the "safer" way is to use the"jdoe style" since it seems to provide the same capabilities but defaults to user_r. This leads to another question: just what capabilities does sysadm_r have if I am running it as the default? Also, if I ssh in (as admin user for example), I get exactly the same role that I get when I login from gdm. > > > 4. In the above, I notice that if I login from gdm I get sysadm_r in the > > first case and user_r in the second case. However, if I login from a VT, > > the default role is sysadm_r in both cases. Is this operating correctly? > > Why the difference? It seems to me that the correct operation should be > > the same in both cases. > > See /etc/security/default_contexts . I am not sure I see what this means (the contents of the file that is). The implication I see is that I should not be able to ssh in with sysadm_r but I do (see above). [snip] > > 6. Is there some command that will list the roles available for a user? > > The users file will contain the list, it should be possible to get the list > from the kernel as well. And the command to display the roles is ...? [snip] > > 10. Is there any documentation planned (but maybe not in FC2) which will > > make recommendations on how to lock a system down using the tunable.te > > file? > > Yes, we will have to do that. This is going to be a must for a lot of individuals. They will need to see hoiw to lock things down (and a bit of why) in order to see why seliniux is a good thing. I also believe this needs to be rather cookbookish so that folks do not have to work too hard to get some benefit. Otherwise a log of folks will be inclined to run selinux (witness the discussion on this list and others about what the default will be for FC2 final). Gene