From: "Takesi satoh" <t_mail@mail2Airport.com>
To: <selinux@tycho.nsa.gov>
Subject: RBAC in RHEL5
Date: Sun, 30 Mar 2008 09:58:09 -0700 [thread overview]
Message-ID: <0bec01c89287$3b352cc0$016a010a@mail2world.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2025 bytes --]
Hello,
I wonder that I can use RBAC in RHEL5 or not.
Here is my problem.
I created new user, and new roles. Let me say john_u: john_r:john_t.
After I made loadable module, loaded it, and I added some entry to
default_context and default_type,
john_u:john_r:john_t was assigned to linux user "john" when john logined
from GNOME.
Next, since I wanted to try the case of "john logins from console",
I added new entry "system_r:local_login_t john_r:john_t
system_r:unconfined_t" to default_context
and jonh logins from console(tty), then system_r:unconfined_t was
assigned to john.
I thought the reason why it happened was the below policy
"type_transition local_login_t shell_exec_t:process transition",
so I downloaded RHEL's selinux-policy-targeted.src.rpm, replaced from
above type_transition sentence to "allow local_login_t
userdomain:process transition;" in local_login.te, and rebuilded rpm.
Then, john logined from console again, and john was assigned to
"local_login_t"
Any domain transition did not happen here.
I wondered " What if I use strict policy? ", so I tried strict policy.
But the result is same, john was assined to local_login_t.
So current my assumption is, in RHEL5, I can use RBAC only when user
logins from GNOME.
And my question is,
1) My assumption is correct or did I make any mistake?
2) Is there any way to use RBAC in RHEL5? ( should we try to import
fedora rpm for /bin/login?)
Regards,
K
Click here to find all of your computer accessories for less!
<http://www.relevantads.biz/fc/Ioyw36XImF3EaZY2PYQLisysvFVzIskVW3cTSYqRG
RR3hTWfTvi2Yz/>
<span id=m2wTl><p><font face="Arial, Helvetica, sans-serif" size="2" style="font-size:13.5px">_______________________________________________________________<BR>Get the FREE email that has everyone talking at <a href=http://www.mail2world.com target=new>http://www.mail2world.com</a><br> <font color=#999999>Unlimited Email Storage – POP3 – Calendar – SMS – Translator – Much More!</font></font></span>
[-- Attachment #2: Type: text/html, Size: 2671 bytes --]
next reply other threads:[~2008-03-30 17:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-30 16:58 Takesi satoh [this message]
2008-03-31 12:56 ` RBAC in RHEL5 Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2008-03-31 15:45 Takesi satoh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='0bec01c89287$3b352cc0$016a010a@mail2world.com' \
--to=t_mail@mail2airport.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.