On Wed, 2009-02-11 at 16:50 +0800, Dennis Wronka wrote: > What use is su if a normal user after running su is still user_u:user_r:user_t > and thus has no permissions to do stuff? user_t is an unprivileged user domain. > Sure, he's root, but as because of SELinux that alone isn't worth much, as > being user_u still limits the user's options pretty much. user_t should not use root. user_t is confined to this domain. It is not designed to "user" domain transition. > Is there anything I misunderstand here? I don't think there should be an > automtic transition from user_r to sysadm_r, and newrole-ing this doesn't work > as user_u doesn't have the sysadmin-role. staff_t is the domain that can use root by first running newrole -r sysadm_r and then su. > So, what the heck is the use of su on a SELinux-system? It works but just not for user_t. Map users that should be able to "user" domain transition to privileged roles to the staff_u SELinux user group. hth ,Dominick > Thanks and best regards, > Dennis -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
