Re: A question about root user and SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2006-08-15 at 18:28 +0200, Paolo D. wrote:
> Hello everybody,
> perhaps a newbie question; should it be the case, please beg your pardon.
> Let's imagine a user acquire root rights. Especially on Fedora Core, which
> modify su command to automatically map it to sysadm_r role, couldn't he/she
> simply disable SELinux, delete logs, and so on?

What does "acquire root rights" mean?  Logged in as the root user, or
exploited a suid root program or uid 0 process to gain uid 0?  Two very
different things as far as SELinux is concerned.

A few observations:
1) Your questions are presumably oriented toward the strict policy, not
the default targeted policy since you are talking about sysadm_r.
2) pam_rootok is instrumented for SELinux, so uid 0 process cannot su to
an arbitrary user without knowing their password unless that process is
also in an authorized domain.
3) In FC5, su no longer switches contexts; separate newrole is once
again required.

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux