On Thu, 2004-04-15 at 17:21, Gene Czarcinski wrote: > IIRC, it used to be that if I logged in from gdm as a sysadm_r user (staff_r > and sysadm_r) as defined in users, I would be logged in with sysadm_r. This > appears to have changed (or my memory is faulty). The default for a sysadm_r > user is to get staff_r and must use newrole -r sysadm_r to get that. Good! > That is the way I think it should work. Yes, I think that this was wrong earlier in default_contexts and subsequently changed. console login might still default to sysadm_r. > The same is true for root. As far as selinux is concerned, root is just > another sysadm_r user and the default role logging in from gdm is staff_r. > Is this what should be done. This will certainly be a change for most users. > When I login as root from gdm, I do not expect that I will be prompted for > root's password when I invoke system-config-users from the menu. You can create a /root/.default_contexts file that will take precedence over /etc/security/default_contexts for root logins. So you can still have 'root' default to sysadm_r if desired. > I also notice that doing an "su -" to root or another sysadm_r user will > default to sysadm_r role for that user. if it is from another sysadm_r user, > then I get a choice of sysadm_r (default) or staff_r. If it is from a user_r > user, then no choice, I just get sysadm_r. This has to do with the allowed role transitions in the policy. The standard policy didn't allow user_r -> sysadm_r at all; the user_canbe_sysadm tunable introduced a user_r -> sysadm_r transition, but did not include a user_r -> staff_r transition. No real reason to omit it in that case. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
