sysadm_r role
Daniel J Walsh
dwalsh at redhat.com
Sat Jul 16 11:21:32 UTC 2005
Preeti Malakar wrote:
>Sir,
>
> Can anyone explain the following result, why root has to change
>the type along with role sysadm_r role . Why does it say "couldnt get
>default type" in the first case
>
>
>[root at pryber ~]# id
>uid=0(root) gid=0(root)
>groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>context=root:system_r:unconfined_t
>[root at pryber ~]# id -Z
>root:system_r:unconfined_t
>[root at pryber ~]# grep ^role
>/etc/selinux/targeted/src/policy/policy.conf | cut -f2 "-d " | sort -u
>sysadm_r
>system_r
>user_r
>[root at pryber ~]# newrole -r sysadm_r
>Couldn't get default type.
>[root at pryber ~]# newrole -r sysadm_r -t sysadm_t
>Authenticating root.
>Password:
>[root at pryber ~]# id -Z
>root:sysadm_r:unconfined_t
>
>
>
>
Because we don't really use roles in targeted policy. Newrole uses the
default_type file for discovering the default type for a particular role
in strict policy the file looks like:
> more /etc/selinux/strict/contexts/default_type
secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
user_r:user_t
nurse_r:user_t
In targeted
> more /etc/selinux/targeted/contexts/default_type
system_r:unconfined_t
--
More information about the fedora-selinux-list
mailing list