On Tue, 2005-07-12 at 20:15 +0530, Preeti Malakar wrote: > user_u is a generic user identity for Linux users who have no > SELinux user identity defined > why is user_u authorized for roles sysadm_r and system_r > why is the user_r allowed to make a transition to sysadm_r and > system_r ( as in rbac file) - Which release of Fedora Core (2, 3, 4)? cat /etc/redhat-release - Which policy (targeted, strict)? grep ^SELINUXTYPE /etc/selinux/config - Which version of policy? rpm -q selinux-policy-targeted or rpm -q selinux-policy-strict Under targeted policy, users are not confined, only specific daemons are confined. The user/role support is effectively unused, and only TE is used to confine daemons based on allowed domain transitions. The same basic set of users and roles from the strict policy are defined for security context compatibility, but they are not used for enforcement and are not restricted. Under strict policy, users are confined (along with daemons and some user programs), and user_u should only be authorized for user_r. user_r may be allowed to transition to sysadm_r (via su/sudo/userhelper if the user knows the root password) if the user_canbe_sysadm tunable is enabled; otherwise, you have to explicitly add users and authorize them for staff_r. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
