On Thu, 2006-09-21 at 15:07 +0200, Salvo Giuffrida wrote: > Good morning, I have some questions regarding aspects of SELinux I don't > understand: > - The format of the file default_context in /etc/selinux/strict/contexts: > why are there some lines for cron? From what I know, this file is intended > to assign a default initial context to logged-in users. So, why there's also > cron? Because it starts processes (jobs)? I assume you're referring to /etc/selinux/strict/contexts/default_contexts. There are cron entries so cron knows what are possible role:domain options for running cron jobs. It will pick the first one that can be used for the Linux user's job. > - What about the "identity" part of the security context? How is filled? There is a mapping of Linux users to SELinux identities (see `semanage login -l`). Login programs (/bin/login, sshd, gdm, etc.) use this mapping to determine what identity to set. > - What makes the access control of SELinux "mandatory"? The fact that normal > users can't change the security policy? Yes. Policy only is set by the admin. > - From what I understood, the root user in SELinux is partitioned into a lot > of domains, so, even if I program which runs as "sysadm_r:some_domain_t" is > compromised, the damage is limited to the domain, right? But, can't the > attacker transition to another domain using newrole, and do other damages, > and continue on? It is partitioned so that the privileges are separated from the admin user domain (sysadm_t). So, for example, the network admin permissions are limited to domains such as ifconfig_t and iptables_t. Also if these programs were compromised, what it can do is limited, as you mention above. However, these domains can't just transition to any domain; the transition would have to be allowed by policy. Some_domain_t would need to be allowed to transition to newrole_t to run newrole. Only the user domains are allowed to transition to newrole_t. > - Why in the Fedora there isn't the "staff_r" role? There is staff_r in the strict policy. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
