Some questions relating to selinux

Gene Czarcinski gene at czarc.net
Mon Apr 12 14:44:51 UTC 2004 

The following is a mixed bag of comments/questions related to SElinux...

1. I noticed that when I login as root from a VT I get the choice of 3 
different roles (staff_r, sysadm_r, and system_r) but when I login as a 
sysadm_r user and then "su -" to root, I only get two roles (staff_r and 
sysadm_r).  Whe the difference?  Better still, is this intentional?

2. If I login a VT or su to a user who has multiple roles defined, I get the 
option to select which role (when su - is working).  On the other hand, if I 
login via gdm I do not get such a choice.  Question:  should gdm be enhanced 
to offer to option to select a role for users with multiple roles defined?

3. In the /etc/security/selinux/src/policy/users file there are two examples 
of defining a user having sysadm_r:

# sample for administrative user
#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', \ 
`system_r') };
 
# sample for regular user
#user jdoe roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r') };

Which one is the "right" one to use?

4.  In the above, I notice that if I login from gdm I get sysadm_r in the 
first case and user_r in the second case.  However, if I login from a VT, the 
default role is sysadm_r in both cases.  Is this operating correctly?  Why 
the difference?  It seems to me that the correct operation should be the same 
in both cases.

5.  Why is the system_r role only available from the VT?

6.  Is there some command that will list the roles available for a user?

7.  The packages libselinux has a lot of /usr/bin/ files which have no 
documentation (e.g., setfilecon).  Is there some reason for this (other than 
we have not got around to that yet)?

8.  Is there someplace that describes the differences between the various 
policy versions (15, 16, 17, etc.)?

9.  Is there some additional documentation concerning the 
/etc/security/selinux/src/policy/tunable.te file (besides the comments in the 
file itself)?  

10. Is there any documentation planned (but maybe not in FC2) which will make 
recommendations on how to lock a system down using the tunable.te file?

11. For the record, my "vote" is for FC2 final to default to selinux=1, 
enforcing=1 but with a policy that is very "loose" by default (it would more 
or less work as if selinux was not really installed for most users).  I would 
also like to see an option for a more restrictive policy which could then be 
worked with for those inclined to do so.

12. I noticed that if I login as a user defined in users as above case 2 and 
then "su -" to root, I am given no role options.  However, if I login as a 
sysadm_r user (case 1 above) and then "su -" to root, I am given a choice of 
role.  Why the difference?  If this operating correctly?
------------------------------------------------------------------------------------
I am sure that more questions will occur to me but that is enough for now.

Gene

More information about the fedora-selinux-list mailing list