From: Russell Coker <rcoker@redhat.com>
To: Alex Ackerman <alex@darkhonor.com>
Cc: Colin Walters <walters@redhat.com>,
Daniel J Walsh <dwalsh@redhat.com>,
Stephen Smalley <sds@epoch.ncsc.mil>,
SE Linux list <selinux@tycho.nsa.gov>,
Joshua Brindle <jbrindle@snu.edu>,
Jim Carter <jwcart2@epoch.ncsc.mil>,
Nalin Dahyabhai <nalin@redhat.com>
Subject: RE: Single home directory type for all roles.
Date: Fri, 10 Dec 2004 06:29:50 +1100 [thread overview]
Message-ID: <1102620591.4509.79.camel@aeon> (raw)
In-Reply-To: <A52BEA1D8EE8634B9196A136333637B13115@maat.darkhonor.net>
On Thu, 2004-12-09 at 13:50 -0500, Alex Ackerman wrote:
> > On Thur, December 09, 2004 1:02 PM, Russell Coker wrote:
> > A bug IMHO. If we have two roles that become almost equivalent then
> > the sensible thing to do is remove one. If we decide that for Fedora
> > strict policy we don't want to have any regular users be denied the ability
> > perform administrative tasks then the correct thing to do is to make
> > staff_r the default user role.
> >
> > It's easy enough for anyone to add a new role if they need more roles
> > than the default policy provides.
>
> As a novice Fedora SELinux user, this sounds like a bad idea (even if it
> was only hypothetical). There is currently a boolean in the strict
> policy which disables the ability for normal user_r users from
> transitioning to the sysadm_r, thus requiring only those users who may
> have need of sysadm_r functions to be a member of staff_r. Any default
> changes to this (by eliminating one role or the other) would require
> users, like myself, who are not overly comfortable with developing new
> user roles to regenerate a restricted user_r-type role for non-trusted
> users.
I agree that it's not desirable to remove a role for an untrusted user
from the default install. However that is the way things are going with
recent policy changes. I think it's better to remove the user_r role
entirely than to make it almost the same as staff_r and give people who
are novices at reading policy the wrong idea.
Currently if you want a really restricted user_r role then you need to
change tunables.tun and comment out the definition of user_canbe_sysadm
(this requires having the policy source installed and that you are
capable of editing and compiling policy). I believe that a better
option would be to have staff_r be the default role for all users in the
default policy and then let someone who wants to create accounts for
untrusted users assign them to user_r. As part of that they can assign
user_u to user_r (user_u would have to default to staff_r too).
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2004-12-09 19:29 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-09 18:50 Single home directory type for all roles Alex Ackerman
2004-12-09 19:29 ` Russell Coker [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-12-07 0:08 patch: add can_create() macro, allow file_type_auto_trans(a,b,c, { file dir }) Thomas Bleher
2004-12-08 19:32 ` James Carter
2004-12-09 16:50 ` Single home directory type for all roles Daniel J Walsh
2004-12-09 17:20 ` Stephen Smalley
2004-12-09 17:40 ` Stephen Smalley
2004-12-09 17:47 ` Russell Coker
2004-12-09 17:53 ` Stephen Smalley
2004-12-09 18:12 ` Russell Coker
2004-12-09 18:18 ` Stephen Smalley
2004-12-09 18:45 ` Stephen Smalley
2004-12-09 19:08 ` Russell Coker
2004-12-09 20:03 ` Casey Schaufler
2004-12-10 12:20 ` Russell Coker
2004-12-10 15:22 ` Valdis.Kletnieks
2004-12-10 16:19 ` Casey Schaufler
2004-12-10 17:00 ` Valdis.Kletnieks
2004-12-10 17:06 ` Stephen Smalley
2004-12-10 17:29 ` Casey Schaufler
2004-12-09 20:40 ` Valdis.Kletnieks
2004-12-10 3:03 ` Russell Coker
2004-12-10 14:09 ` Daniel J Walsh
2004-12-10 14:31 ` Stephen Smalley
2004-12-10 15:43 ` Colin Walters
2004-12-10 16:33 ` Casey Schaufler
2004-12-13 13:25 ` Russell Coker
2004-12-13 13:56 ` Daniel J Walsh
2004-12-13 14:19 ` Russell Coker
2004-12-09 19:07 ` Thomas Bleher
2004-12-09 19:19 ` Russell Coker
2004-12-09 17:28 ` Colin Walters
2004-12-09 18:02 ` Russell Coker
2004-12-09 19:45 ` Daniel J Walsh
2004-12-09 20:07 ` Stephen Smalley
2004-12-09 20:13 ` Russell Coker
2004-12-09 20:22 ` Daniel J Walsh
2004-12-09 20:30 ` Russell Coker
2004-12-09 21:38 ` Thomas Bleher
2004-12-10 2:56 ` Russell Coker
2004-12-09 22:29 ` Colin Walters
2004-12-10 13:11 ` Stephen Smalley
2004-12-10 16:28 ` Colin Walters
2004-12-09 21:16 ` Thomas Bleher
2004-12-10 2:58 ` Russell Coker
2004-12-09 22:43 ` Colin Walters
2004-12-10 2:23 ` Russell Coker
2004-12-10 15:48 ` Colin Walters
2004-12-10 21:58 ` Luke Kenneth Casson Leighton
2004-12-09 19:38 ` Daniel J Walsh
2004-12-09 19:58 ` Stephen Smalley
2004-12-09 20:09 ` Daniel J Walsh
2004-12-09 20:17 ` Russell Coker
2004-12-09 20:38 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1102620591.4509.79.camel@aeon \
--to=rcoker@redhat.com \
--cc=alex@darkhonor.com \
--cc=dwalsh@redhat.com \
--cc=jbrindle@snu.edu \
--cc=jwcart2@epoch.ncsc.mil \
--cc=nalin@redhat.com \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
--cc=walters@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.