|
This seems to be a bit complicated. As a start I'm trying to create new role and new types, I want the new role to be accessed by unconfined_r, having problem since my last email: Compiling targeted new module /usr/bin/checkmodule: loading policy configuration from tmp/new.tmp new.te":6:ERROR 'unknown role unconfined_r' at token ';' on line 3189: allow unconfined_r new_r; role new_r types example_t; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/new.mod] Error 1 the file used: new.te policy_module(new, 0.0.1) role new_r; type example_t; role new_r types example_t; allow unconfined_r new_r; (both allow or role causing the same problem). > Subject: Re: su or sudo from unconfined user to confined user > From: sds@xxxxxxxxxxxxx > To: domg472@xxxxxxxxx > CC: mrowais@xxxxxxxxxxx; fedora-selinux-list@xxxxxxxxxx > Date: Tue, 23 Jun 2009 12:20:38 -0400 > > On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote: > > It is possible i think yes. > > I could be wrong, but I think the original poster wanted a way he could > switch to another user's security context in its entirety using su or > sudo. Which today we do not support. > > The original (and current) view is that the SELinux user field should > only get set when a session is created, and only role, type, and level > can change within a session and only then if within the authorized roles > and levels for the user. That bounds access escalation within a login > session. su doesn't affect the SELinux security context, and > newrole/sudo are limited to changing role, type, or level. > > In early Fedora and RHEL 4, there was support for switching the entire > security context upon su, but that was removed. To re-instate it, you > would need to do two things: > 1) Add the necessary policy rules to allow su to switch the entire > context. Look at the rules under an ifdef distro_rhel4 in su.if in the > refpolicy for example. You could add those as a local policy module > rather than rebuilding the base policy. > 2) Add pam_selinux entries to /etc/pam.d/su. Look in /etc/pam.d/login > for an example of how to do so. > > And I can't guarantee it will still work, as no one uses it that way > anymore. > > > As far as i know there are two requirements (example unconfined_r to > > confined_r) > > > > 1. Your SELinux User must be mapped to both roles. > > semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P user > > special_u > > > > 2. Your source role must have access to your target role > > allow unconfined_r confined_r; > > > > (also make default context in /etc/selinux/targeted/contexts/users for > > special_u) > > > > The reason that this is supported by default is because it does not make > > sense to transition from a unconfined domain to a confined domain. It > > defeats the purpose of the unconfined domain. > > > > Unconfined environments are used by processes that are exempted from > > much of the policy enforcement. > > > > In rare cases unconfined domain transition to restricted domains. For > > example: one can toggle a boolean to force unconfined_t to transition to > > nsplugin_t when the process runs nsplugin. > > > > > > On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote: > > > Hello, > > > I've a requirement to use a system as a root, but I need to move so > > > offen to other users and be able to move to their default SELinux user > > > and roles. > > > As it appears to be, it is no a common thing to do, but is it possible > > > without implementing a new policy? > > > > > > Regards > > > > > > > > > ______________________________________________________________________ > > > Beyond Hotmail - see what else you can do with Windows Live. Find out > > > more. > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list@xxxxxxxxxx > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- > Stephen Smalley > National Security Agency > View your Twitter and Flickr updates from one place – Learn more! |
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
