Re: default user roles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremiah Jahn wrote:
> I can't seem to get the login to set the proper initial role for a user.
> Every time I login, I end up as auditadm, and not secstaff.
> 
> I have the following in my policy:
> 
> userdom_unpriv_user_template(secstaff)
> userdom_role_change_template(secstaff, secadm)
> userdom_role_change_template(secstaff, auditadm)
> allow secstaff_t devlog_t:sock_file write;
> allow secstaff_t newrole_t:process { siginh noatsecure rlimitinh };
> allow secstaff_t syslogd_t:unix_dgram_socket sendto;
> allow secstaff_t unconfined_tmp_t:dir { write search rmdir remove_name create getattr add_name };
> allow secstaff_t user_home_dir_t:dir { read getattr search };
> userdom_manage_generic_user_home_content_files(secstaff_t)
> userdom_read_generic_user_home_content_files(secstaff_t)
> 
> ############################################################
> # Set default role for sec staff <-- not quite :)
> #
> role secstaff_r types secstaff_t;
> 
> ############################################################
> # define roles the secstaff can transition to
> #
> user secstaff_u roles { secstaff_r secadm_r auditadm_r } level s0 range s0 - s0;
> 	
> 
> 
> 
> 
> In the olden days in England, you could be hung for stealing a sheep or
> a loaf of bread. However, if a sheep stole a loaf of bread and gave it
> to you, you would only be tried for receiving, a crime punishable by
> forty lashes with the cat or the dog, whichever was handy. If you stole
> a dog and were caught, you were punished with twelve rabbit punches,
> although it was hard to find rabbits big enough or strong enough to
> punch you. -- Mike Harding, "The Armchair Anarchist's Almanac"
You probably need a

/etc/selinux/TYPE/contexts/users/secstaff_u
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke/HXwACgkQrlYvE4MpobOX5ACeO5fHUGU3f4xqttOd/YktKDTG
eVMAn2XUtWC6zeLZEkybzGMUQqIDUZkA
=6Hjz
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux