User policy problem with strict policy
Stephen Smalley
sds at epoch.ncsc.mil
Thu Oct 14 16:18:29 UTC 2004
On Thu, 2004-10-14 at 12:02, James Morris wrote:
> I don't know, I just wanted to restore what I thought was normal behavior.
Separate roles per user were never part of the example policy.
It is true that common practice prior to and outside of the Fedora
SELinux implementation is to at least maintain separate entries in
policy/users for users authorized for staff_r and sysadm_r, and
optionally to maintain separate entries for users authorized for user_r
to provide stronger user accountability even though they had the same
permissions.
> So even in strict policy now, all normal users are user_u:user_r:user_t ?
That's the default. You can disable user_canbe_sysadm and explicitly
authorize users for staff_r/sysadm_r/system_r for better security.
Then, user_r users cannot use su/sudo/userhelper to gain privileges, and
access to sysadm_r is entirely governed by policy. That doesn't require
creating separate roles per user. But the lack of integration of
existing user databases and tools with the SELinux users database makes
it difficult to disable user_canbe_sysadm by default.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list