[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Some questions relating to selinux

On Tue, 13 Apr 2004 00:44, Gene Czarcinski <gene czarc net> wrote:
> The following is a mixed bag of comments/questions related to SElinux...
> 1. I noticed that when I login as root from a VT I get the choice of 3
> different roles (staff_r, sysadm_r, and system_r) but when I login as a
> sysadm_r user and then "su -" to root, I only get two roles (staff_r and
> sysadm_r).  Whe the difference?  Better still, is this intentional?

The fact that you are offered system_r is a bug.  Being offered the other two 
is OK, but you can turn this off by removing the "multiple" option from 
pam_selinux.so in the pam.d file.

> 2. If I login a VT or su to a user who has multiple roles defined, I get
> the option to select which role (when su - is working).  On the other hand,
> if I login via gdm I do not get such a choice.  Question:  should gdm be
> enhanced to offer to option to select a role for users with multiple roles
> defined?

We discussed this at length and came to the conclusion that running a GNOME or 
KDE environment in a privileged role is a bad idea.  Also GNOME and KDE 
create lots of /tmp entries such as /tmp/mcop-user and /tmp/.gconf-user.  If 
you login to GNOME or KDE as one role and then login as the same UID with 
another role then one of two things will happen:

1)  role A is not permitted to write to role B's /tmp files and the login will 
fail in ways that might be surprising and difficult to debug.

2)  role A is permitted to write to role B's /tmp files, things will work BUT 
role A can probably use this to take over role B processes.  If we permit 
this bi-directionally so that no combination of X login order will result in 
failure then we give role A and role B such access to each other that we 
should just merge them.

The conclusion is that there is no benefit in giving the user two roles and 
allowing them both to be accessed through a GUI login.

> 3. In the /etc/security/selinux/src/policy/users file there are two
> examples of defining a user having sysadm_r:
> # sample for administrative user
> #user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', \
> `system_r') };
> # sample for regular user
> #user jdoe roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r')
> };
> Which one is the "right" one to use?

jdoe is a regular user, jadmin is an administrative user.  Which one you use 
for an account depends on whether they are a regular user or an admin.

> 4.  In the above, I notice that if I login from gdm I get sysadm_r in the
> first case and user_r in the second case.  However, if I login from a VT,
> the default role is sysadm_r in both cases.  Is this operating correctly? 
> Why the difference?  It seems to me that the correct operation should be
> the same in both cases.

See /etc/security/default_contexts .

> 5.  Why is the system_r role only available from the VT?

The bug is limited in scope.

> 6.  Is there some command that will list the roles available for a user?

The users file will contain the list, it should be possible to get the list 
from the kernel as well.

> 7.  The packages libselinux has a lot of /usr/bin/ files which have no
> documentation (e.g., setfilecon).  Is there some reason for this (other
> than we have not got around to that yet)?

We haven't got around to it yet.  Contributions of man pages are welcome...

> 9.  Is there some additional documentation concerning the
> /etc/security/selinux/src/policy/tunable.te file (besides the comments in
> the file itself)?

Not yet.

> 10. Is there any documentation planned (but maybe not in FC2) which will
> make recommendations on how to lock a system down using the tunable.te
> file?

Yes, we will have to do that.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]