A few questions

Christopher J. PeBenito cpebenito at tresys.com
Thu Sep 21 14:15:06 UTC 2006 

On Thu, 2006-09-21 at 15:07 +0200, Salvo Giuffrida wrote:
> Good morning, I have some questions regarding aspects of SELinux I don't 
> understand:
> - The format of the file default_context in /etc/selinux/strict/contexts: 
> why are there some lines for cron? From what I know, this file is intended 
> to assign a default initial context to logged-in users. So, why there's also 
> cron? Because it starts processes (jobs)?

I assume you're referring
to /etc/selinux/strict/contexts/default_contexts.  There are cron
entries so cron knows what are possible role:domain options for running
cron jobs.  It will pick the first one that can be used for the Linux
user's job.

> - What about the "identity" part of the security context? How is filled?

There is a mapping of Linux users to SELinux identities (see `semanage
login -l`).  Login programs (/bin/login, sshd, gdm, etc.) use this
mapping to determine what identity to set.

> - What makes the access control of SELinux "mandatory"? The fact that normal 
> users can't change the security policy?

Yes.  Policy only is set by the admin.

> - From what I understood, the root user in SELinux is partitioned into a lot 
> of domains, so, even if I program which runs as "sysadm_r:some_domain_t" is 
> compromised, the damage is limited to the domain, right? But, can't the 
> attacker transition to another domain using newrole, and do other damages, 
> and continue on?

It is partitioned so that the privileges are separated from the admin
user domain (sysadm_t).  So, for example, the network admin permissions
are limited to domains such as ifconfig_t and iptables_t.  Also if these
programs were compromised, what it can do is limited, as you mention
above.  However, these domains can't just transition to any domain; the
transition would have to be allowed by policy.  Some_domain_t would need
to be allowed to transition to newrole_t to run newrole.  Only the user
domains are allowed to transition to newrole_t.

> - Why in the Fedora there isn't the "staff_r" role?

There is staff_r in the strict policy.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

More information about the fedora-selinux-list mailing list