A few questions
Christopher J. PeBenito
cpebenito at tresys.com
Thu Sep 21 14:15:06 UTC 2006
On Thu, 2006-09-21 at 15:07 +0200, Salvo Giuffrida wrote:
> Good morning, I have some questions regarding aspects of SELinux I don't
> understand:
> - The format of the file default_context in /etc/selinux/strict/contexts:
> why are there some lines for cron? From what I know, this file is intended
> to assign a default initial context to logged-in users. So, why there's also
> cron? Because it starts processes (jobs)?
I assume you're referring
to /etc/selinux/strict/contexts/default_contexts. There are cron
entries so cron knows what are possible role:domain options for running
cron jobs. It will pick the first one that can be used for the Linux
user's job.
> - What about the "identity" part of the security context? How is filled?
There is a mapping of Linux users to SELinux identities (see `semanage
login -l`). Login programs (/bin/login, sshd, gdm, etc.) use this
mapping to determine what identity to set.
> - What makes the access control of SELinux "mandatory"? The fact that normal
> users can't change the security policy?
Yes. Policy only is set by the admin.
> - From what I understood, the root user in SELinux is partitioned into a lot
> of domains, so, even if I program which runs as "sysadm_r:some_domain_t" is
> compromised, the damage is limited to the domain, right? But, can't the
> attacker transition to another domain using newrole, and do other damages,
> and continue on?
It is partitioned so that the privileges are separated from the admin
user domain (sysadm_t). So, for example, the network admin permissions
are limited to domains such as ifconfig_t and iptables_t. Also if these
programs were compromised, what it can do is limited, as you mention
above. However, these domains can't just transition to any domain; the
transition would have to be allowed by policy. Some_domain_t would need
to be allowed to transition to newrole_t to run newrole. Only the user
domains are allowed to transition to newrole_t.
> - Why in the Fedora there isn't the "staff_r" role?
There is staff_r in the strict policy.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the fedora-selinux-list
mailing list