On Mon, Jul 12, 2004 at 08:12:54AM -0400, Stephen Smalley wrote: > The original poster showed a denial of executing sesh from user_sudo_t > without performing a domain transition. That is definitely not what you > want. sudo should transition to a user domain upon executing sesh, most > typically to sysadm_r:sysadm_t since it is typically used to assume > admin privileges for a particular command. Actually, the user should newrole to sysadm_r before they're allowed to execute sudo/su. Or, if you want to make life easier for the user, sudo/su could be allowed to perform a role transition on its own, but it should *never* change the identity. > Further, as the caller is > typically not directly authorized for an administrative shell, you need > sudo to transition to a user identity (e.g. root) that is authorized for > the administrative role. Nonsense. you can allow your IDENTITIES (context users) to have the ability to attain an administrative role which then lets them have the completely orthogonal USER (unix user id). It seems that Fedora/SELinux is attempting to entirely replace the uid/gid concept instead of augmenting it; and in the process appears to have misplaced the difference between uid and euid. (which is not to say that uid/euid ever really worked right in unix) [ For example, the system really SHOULD know the difference between user "emf" su'ing to user "joe" and running joe's .bashrc. When I do that, I am not joe, I am merely impersonating him for some reason. ] uid/gid isn't what's wrong with unix authentication; "root" is. [ "root" meaning shared identities; privleged or otherwise. ] > As part of the Fedora SELinux integration, RedHat created a pam_selinux > module and changed /etc/pam.d/su to invoke it, so that su performs > context transitions, including changing the user identity. Note that > the user_canbe_sysadm tunable allows you to disable the ability of > user_r:user_t to reach sysadm_r:sysadm_t via su, so that only users > authorized for staff_r can do so. That reduces your exposure. See the > following for further discussion: > > http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id3004527 > http://marc.theaimsgroup.com/?l=selinux&m=107757717110966&w=2 > > And an argument against have su perform context transitions: > http://marc.theaimsgroup.com/?l=selinux&m=107765457418746&w=2 > > Note that the use of pam_selinux by su has also led to issues with > running daemons in pseudo user identities via su, as discussed > previously on this list. I find that I must agree with the dissenting viewpoint. Changing the identity is a terrible idea. Having daemons running in pseudouser identities could just as well be handled by having unix_uid along with an unprivleged user_u identity and a ${daemon}_r:${daemon}_t context. We don't need ${daemon}_u as well, and user_u can do far too much by default in FC2. It would be really nice if this were a tunable as well, since some folks appear to want the identity transition, but I personally think that the "Strict" configuration should disable ID transition. That's all. -- Erik Fichtner; Unix Ronin