A question about root user and SELinux

Stephen Smalley sds at tycho.nsa.gov
Tue Aug 15 17:58:12 UTC 2006

On Tue, 2006-08-15 at 18:28 +0200, Paolo D. wrote:
> Hello everybody,
> perhaps a newbie question; should it be the case, please beg your pardon.
> Let's imagine a user acquire root rights. Especially on Fedora Core, which
> modify su command to automatically map it to sysadm_r role, couldn't he/she
> simply disable SELinux, delete logs, and so on?

What does "acquire root rights" mean?  Logged in as the root user, or
exploited a suid root program or uid 0 process to gain uid 0?  Two very
different things as far as SELinux is concerned.

A few observations:
1) Your questions are presumably oriented toward the strict policy, not
the default targeted policy since you are talking about sysadm_r.
2) pam_rootok is instrumented for SELinux, so uid 0 process cannot su to
an arbitrary user without knowing their password unless that process is
also in an authorized domain.
3) In FC5, su no longer switches contexts; separate newrole is once
again required.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list