Problems creating a user
Stephen Smalley
sds at tycho.nsa.gov
Mon Sep 26 17:19:51 UTC 2005
On Mon, 2005-09-26 at 13:05 -0400, Valdis.Kletnieks at vt.edu wrote:
> On Mon, 26 Sep 2005 12:31:51 +0200, Armando Aznar said:
> > I have enabled the targeted policy, so all the users run with the user
> > "user_u" (then all the users have all the permissions in SELinux).
>
> > How could i create a user who run with the user "system_u" so this user dont
> > have all the permissions?
>
> This is probably doomed to failure, because the targeted policy cuts a *lot*
> of corners because it's not making any realistic attempt to protect legitimate
> system users/types from each other. You really need to start with the 'strict'
> policy - that has support for separating users.
>
> (Basically, in the 'targeted' policy, so many things will treat
> 'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being
> equivalent that you're not going to get anywhere useful....)
Just to affirm this point: Targeted policy is not suitable for user
separation. Convert to strict policy if you want user separation.
(Side bar: The only reason targeted policy even has multiple user
identities and roles defined is for context compatibility with strict
policy. If the policy language had a notion of user and role aliases to
parallel the type alias construct, the users and roles would all just be
aliased together for targeted policy.).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list