[redhat-lspp] Re: newrole, UID change, etc
Russell Coker
rcoker at redhat.com
Sun Apr 23 01:45:40 UTC 2006
On Sat, 2006-04-22 at 01:41 +1000, Russell Coker wrote:
> > Except that newrole can be run by any user including guest accounts,
>
> sudo may also be run by any user including guest accounts.
Steve Grubb pointed out to me off-list that sudo is not in the set of
packages for the LSPP certified configuration.
After considering this and other issues I have come to the conclusion
that my previous design ideas are not suitable.
I have another idea. If a user is logged in with a context that permits
changing role to sysadm_r, secadm_r, or auditadm_r then permit them to
change to UID=0 with authentication against the root account.
That way in the permissive mode and selinux=0 cases newrole would
effectively be a version of su which can only change to the root
account. As it would use the same PAM settings as su this would not be
a problem.
In summary we have newrole support changing to administrative role and
UID=0 with the root password. The initial context would have to be
permitted to enter the administrative role in question by SE Linux
policy). Doing this would require the root password.
The remaining issue is whether we have newrole check that the
destination role is an administrative role (a plain-text file with
entries sysadm_r, secadm_r, and auditadm_r). This wouldn't strictly be
necessary, if you have the root password or satisfy the PAM requirements
of su in other ways then you can get UID==0 with the current situation.
The password check on role change is mainly designed to prevent
malicious use, a root password check is as suitable for that use as is a
check on the AUID or SE Linux identity account.
Please let me know what you think about this.
More information about the redhat-lspp
mailing list