On Thu, 2012-05-10 at 15:03 +0200, Andy Warner wrote: > I am running Scientific Linux 6.0, fully updated using the targeted > policy. > > Is there a method to execute the SELinux admin GUI tool > system-config-selinux while in enforcing mode of the targeted policy? > > My assumption is that root linux user combined with sysadm_r role > would work. However, after creating a shell with sudo -i -r sysadm_r > (from the staff_r role), the tool fails to start. I then tried to > create a user that would login via the GUI login and receive the > sysadm_r role by default. In this case I was unsuccessful in even > getting the sysadm_r role to have the sysadm_t upon login. It receives > a context of sysadm_u:sysadm_r:oddjob_mkhomedir_t. This despite having > the following /etc/selinux/targeted/contexts/users/sysadm_u file: > > system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 > system_r:remote_login_t:s0 sysadm_r:sysadm_t:s0 > system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 > system_r:crond_t:s0 sysadm_r:sysadm_t:s0 > system_r:xdm_t:s0 sysadm_r:sysadm_t:s0 > sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 > sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 > system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0 > sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0 > sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 > sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 Under targeted policy, wouldn't you run it from an unconfined_u/unconfined_r login? Which would be the default for users who haven't been mapped to a specific role via semanage. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
