On Monday 12 April 2004 13:06, Russell Coker wrote:
> On Tue, 13 Apr 2004 00:44, Gene Czarcinski <gene@xxxxxxxxx> wrote:
> > The following is a mixed bag of comments/questions related to SElinux...
> >
> > 1. I noticed that when I login as root from a VT I get the choice of 3
> > different roles (staff_r, sysadm_r, and system_r) but when I login as a
> > sysadm_r user and then "su -" to root, I only get two roles (staff_r and
> > sysadm_r). Whe the difference? Better still, is this intentional?
>
> The fact that you are offered system_r is a bug. Being offered the other
> two is OK, but you can turn this off by removing the "multiple" option from
> pam_selinux.so in the pam.d file.
OK, I will file a bugzilla report against policy (unless you suggest something
else).
[snip]
> > 3. In the /etc/security/selinux/src/policy/users file there are two
> > examples of defining a user having sysadm_r:
> >
> > # sample for administrative user
> > #user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', \
> > `system_r') };
> >
> > # sample for regular user
> > #user jdoe roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r')
> > };
> >
> > Which one is the "right" one to use?
>
> jdoe is a regular user, jadmin is an administrative user. Which one you
> use for an account depends on whether they are a regular user or an admin.
I saw little difference in the capabilities. When I login from gdm, the
administrative user's role is sysadm_4. When I login from gdm, the "regular
user's" role is user_r but I can change to sysadm_r with the newrole command.
The "role" I am seeing is the result of running "id -Z" in a terminal window.
As a regular user (e.g., jdoe), I can run things like system-config-users by
entering jdoe's password ... the same thing I have to do when I login as the
administrative user (e.g., jadmin).
I am also wonder what role is being used for most programs if I login as the
adminstrative user. Aren't these running with sysadm_r. If so, it appears
to me that the "safer" way is to use the"jdoe style" since it seems to
provide the same capabilities but defaults to user_r.
This leads to another question: just what capabilities does sysadm_r have if I
am running it as the default?
Also, if I ssh in (as admin user for example), I get exactly the same role
that I get when I login from gdm.
>
> > 4. In the above, I notice that if I login from gdm I get sysadm_r in the
> > first case and user_r in the second case. However, if I login from a VT,
> > the default role is sysadm_r in both cases. Is this operating correctly?
> > Why the difference? It seems to me that the correct operation should be
> > the same in both cases.
>
> See /etc/security/default_contexts .
I am not sure I see what this means (the contents of the file that is). The
implication I see is that I should not be able to ssh in with sysadm_r but I
do (see above).
[snip]
> > 6. Is there some command that will list the roles available for a user?
>
> The users file will contain the list, it should be possible to get the list
> from the kernel as well.
And the command to display the roles is ...?
[snip]
> > 10. Is there any documentation planned (but maybe not in FC2) which will
> > make recommendations on how to lock a system down using the tunable.te
> > file?
>
> Yes, we will have to do that.
This is going to be a must for a lot of individuals. They will need to see
hoiw to lock things down (and a bit of why) in order to see why seliniux is a
good thing. I also believe this needs to be rather cookbookish so that folks
do not have to work too hard to get some benefit. Otherwise a log of folks
will be inclined to run selinux (witness the discussion on this list and
others about what the default will be for FC2 final).
Gene
