Hello,
I wonder that I can use RBAC in RHEL5 or not.
Here is my problem.
I created new user, and new roles. Let me say john_u: john_r:john_t.
After I made loadable module, loaded it, and I added some entry to default_context and default_type,
john_u:john_r:john_t was assigned to linux user "john" when john logined from GNOME.
Next, since I wanted to try the case of "john logins from console",
I added new entry "system_r:local_login_t john_r:john_t system_r:unconfined_t" to default_context
and jonh logins from console(tty), then system_r:unconfined_t was assigned to john.
I thought the reason why it happened was the below policy
"type_transition local_login_t shell_exec_t:process transition",
so I downloaded RHEL's selinux-policy-targeted.src.rpm, replaced from above type_transition sentence to "allow local_login_t userdomain:process transition;" in local_login.te, and rebuilded rpm.
Then, john logined from console again, and john was assigned to "local_login_t"
Any domain transition did not happen here.
I wondered " What if I use strict policy? ", so I tried strict policy.
But the result is same, john was assined to local_login_t.
So current my assumption is, in RHEL5, I can use RBAC only when user logins from GNOME.
And my question is,
1) My assumption is correct or did I make any mistake?
2) Is there any way to use RBAC in RHEL5? ( should we try to import fedora rpm for /bin/login?)
Regards,
K
_______________________________________________________________
Get the FREE email that has everyone talking at http://www.mail2world.com
Unlimited Email Storage – POP3 – Calendar – SMS – Translator – Much More!
