On Wed, 2004-04-21 at 15:02, Colin Walters wrote: > The user_canbe_sysadm tunable is on by default, but the user can't use > newrole to get to that role - only su. > > So how to fix this bug? I understand the reason we're using the SELinux > user identity - SELinux doesn't want to trust the Linux uid. But > perhaps it would be good if we had a way to say that for particular > SELinux user identities like user_u, newrole could just use the Linux > uid for authentication. The only purpose of the newrole re-authentication is to force a user interaction to verify user intent prior to a role change, as opposed to some malicious code that happens to be run by the user being able to change roles without the user's awareness. The policy governs who can enter the role, not the newrole program. Anything could be substituted for the re-authentication, as long as it provides some confidence of user confirmation and is not easily spoofed by malicious code. Long term, the right solution is to use a trusted path mechanism once one becomes available in Linux. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
