su or sudo from unconfined user to confined user
Dominick Grift
domg472 at gmail.com
Tue Jun 23 15:17:46 UTC 2009
It is possible i think yes.
As far as i know there are two requirements (example unconfined_r to
confined_r)
1. Your SELinux User must be mapped to both roles.
semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P user
special_u
2. Your source role must have access to your target role
allow unconfined_r confined_r;
(also make default context in /etc/selinux/targeted/contexts/users for
special_u)
The reason that this is supported by default is because it does not make
sense to transition from a unconfined domain to a confined domain. It
defeats the purpose of the unconfined domain.
Unconfined environments are used by processes that are exempted from
much of the policy enforcement.
In rare cases unconfined domain transition to restricted domains. For
example: one can toggle a boolean to force unconfined_t to transition to
nsplugin_t when the process runs nsplugin.
On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote:
> Hello,
> I've a requirement to use a system as a root, but I need to move so
> offen to other users and be able to move to their default SELinux user
> and roles.
> As it appears to be, it is no a common thing to do, but is it possible
> without implementing a new policy?
>
> Regards
>
>
> ______________________________________________________________________
> Beyond Hotmail - see what else you can do with Windows Live. Find out
> more.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090623/d45a7204/attachment.sig>
More information about the fedora-selinux-list
mailing list