* Newrole in targeted mode @ 2004-12-28 18:42 Nick Gray 2004-12-28 18:50 ` Stephen Smalley 0 siblings, 1 reply; 7+ messages in thread From: Nick Gray @ 2004-12-28 18:42 UTC (permalink / raw) To: SELinux ML I am trying this as root. newrole -r sysadm_r -t sysadm_t It seems to work, but my context doesn't change and I can't change the enforce to 0. Isn't this still how it is done with the targeted policy? Nix -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Newrole in targeted mode 2004-12-28 18:42 Newrole in targeted mode Nick Gray @ 2004-12-28 18:50 ` Stephen Smalley 2004-12-30 6:37 ` Jaspreet Singh 0 siblings, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2004-12-28 18:50 UTC (permalink / raw) To: Nick Gray; +Cc: SELinux ML On Tue, 2004-12-28 at 13:42, Nick Gray wrote: > I am trying this as root. > > newrole -r sysadm_r -t sysadm_t > > It seems to work, but my context doesn't change and I can't change the > enforce to 0. Isn't this still how it is done with the targeted policy? newrole serves no purpose under targeted policy; users are unconfined. setenforce 0 should work for you as root (from unconfined_t, of course, which is what you should already be in for a user session). -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Newrole in targeted mode 2004-12-28 18:50 ` Stephen Smalley @ 2004-12-30 6:37 ` Jaspreet Singh 2005-01-01 22:20 ` Matthew Leinhos 2005-01-02 11:30 ` Karsten Wade 0 siblings, 2 replies; 7+ messages in thread From: Jaspreet Singh @ 2004-12-30 6:37 UTC (permalink / raw) To: Stephen Smalley; +Cc: Nick Gray, nsa Hi, I tried to search and couldn't find any threads on this question .. What are the basic differences between targeted and strict policies .. All I know is .. there are lesser targeted domains/roles in target policy compared to strict and as a result most domains run in an unconfined_t domain. Am I missing something ... On Tue, 2004-12-28 at 13:50 -0500, Stephen Smalley wrote: > newrole serves no purpose under targeted policy; users are unconfined. > setenforce 0 should work for you as root (from unconfined_t, of course, > which is what you should already be in for a user session). You can add new users and roles in target policy also ... In that case newrole should work as per the modified policies .. I am wrong ?? Regards, Jaspreet -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Newrole in targeted mode 2004-12-30 6:37 ` Jaspreet Singh @ 2005-01-01 22:20 ` Matthew Leinhos 2005-01-02 11:30 ` Karsten Wade 1 sibling, 0 replies; 7+ messages in thread From: Matthew Leinhos @ 2005-01-01 22:20 UTC (permalink / raw) To: Jaspreet Singh; +Cc: nsa Hi Jaspreet, I'm fairly new to SELinux, but I'll try to answer your question. The goal in running SELinux under a targeted policy is to shield specific processes, generally daemons available to the network, under the protections of SELinux. In other words, its goal is to make it so that a remote break-in via a daemon vulnerability is not catestrophic to the system's security. The goal of the strict policy is to protect the system against not only vulnerabilities in daemons, but also against malicious (but possible legitamate) users. So, the strict policy is more elaborate and will provide more protections to the system, once its bugs have been wrinkled out. These policies are in development on Fedora Core 3. Refer to http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2801831 for more information. -Matt On Thu, 30 Dec 2004, Jaspreet Singh wrote: > Hi, > > I tried to search and couldn't find any threads on this question .. > > What are the basic differences between targeted and strict policies .. > > All I know is .. there are lesser targeted domains/roles in target > policy compared to strict and as a result most domains run in an > unconfined_t domain. > > Am I missing something ... > > On Tue, 2004-12-28 at 13:50 -0500, Stephen Smalley wrote: > > newrole serves no purpose under targeted policy; users are unconfined. > > setenforce 0 should work for you as root (from unconfined_t, of course, > > which is what you should already be in for a user session). > > You can add new users and roles in target policy also ... > In that case newrole should work as per the modified policies .. I am wrong ?? > > Regards, > Jaspreet > > -- > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Newrole in targeted mode 2004-12-30 6:37 ` Jaspreet Singh 2005-01-01 22:20 ` Matthew Leinhos @ 2005-01-02 11:30 ` Karsten Wade 2005-01-03 5:11 ` Jaspreet Singh 1 sibling, 1 reply; 7+ messages in thread From: Karsten Wade @ 2005-01-02 11:30 UTC (permalink / raw) To: SELinux On Thu, 2004-12-30 at 12:07 +0530, Jaspreet Singh wrote: > Hi, > > I tried to search and couldn't find any threads on this question .. > > What are the basic differences between targeted and strict policies .. > > All I know is .. there are lesser targeted domains/roles in target > policy compared to strict and as a result most domains run in an > unconfined_t domain. Everything runs in unconfined_t unless there is a transition specified to go to the new domain. This transition is specified for only a small number of daemons. Other things are simplified. In the targeted policy, there are fewer rules overall, fewer file contexts, and so forth. > On Tue, 2004-12-28 at 13:50 -0500, Stephen Smalley wrote: > > newrole serves no purpose under targeted policy; users are unconfined. > > setenforce 0 should work for you as root (from unconfined_t, of course, > > which is what you should already be in for a user session). > > You can add new users and roles in target policy also ... > In that case newrole should work as per the modified policies .. I am wrong ?? Because processes at all levels, whether spawned by init or a user, run in the unconfined_t domain, the role has no meaning. AIUI, a user does not need an elevated role for what they do. - Karsten -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Newrole in targeted mode 2005-01-02 11:30 ` Karsten Wade @ 2005-01-03 5:11 ` Jaspreet Singh 2005-01-03 14:14 ` Stephen Smalley 0 siblings, 1 reply; 7+ messages in thread From: Jaspreet Singh @ 2005-01-03 5:11 UTC (permalink / raw) To: kwade, Matthew Leinhos; +Cc: nsa Hi, Thanx matthew and karsten ... > Everything runs in unconfined_t unless there is a transition specified > to go to the new domain. This transition is specified for only a small > number of daemons. > Other things are simplified. In the targeted policy, there are fewer > rules overall, fewer file contexts, and so forth. Ok, I realized that after seeing the sources for target and strict policies... > Because processes at all levels, whether spawned by init or a user, run > in the unconfined_t domain, the role has no meaning. AIUI, a user does > not need an elevated role for what they do. I understand that .. But does the system makes *any* assumptions about the target or strict policies ?? I mean .. does the system distinguish between target and strict policies ??? If I am not wrong the system just want some basic security classes in place which are same for target and strict policies. So, i can just borrow code from strict policy to add more domains and roles to target policy. I am right ?? And Also how can i make the selinux understand a policy tree *intermediate* under /etc/selinux/ and load policy from there .... > - Karsten Thanx and Regards, Jaspreet -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Newrole in targeted mode 2005-01-03 5:11 ` Jaspreet Singh @ 2005-01-03 14:14 ` Stephen Smalley 0 siblings, 0 replies; 7+ messages in thread From: Stephen Smalley @ 2005-01-03 14:14 UTC (permalink / raw) To: jsingh; +Cc: kwade, Matthew Leinhos, nsa On Mon, 2005-01-03 at 00:11, Jaspreet Singh wrote: > I understand that .. But does the system makes *any* assumptions about > the target or strict policies ?? No, the enforcement mechanism is the same, only the policy differs. But the policies differ substantially, including boot-time definitions like initial SID contexts that cannot be changed without a reboot, and they differ structurally, e.g. targeted policy has nothing set up for user roles at present. It should be easier to take strict policy and strip down the set of program domains than to add user roles to targeted policy, IMHO. > So, i can just borrow code from strict policy to add more domains and > roles to target policy. > > I am right ?? Strictly speaking, yes. But strict policy already gives you what you want structurally, i.e. user roles and domains as well as program domains, and you can strip down the set of program domains. In contrast, targeted policy only gives you program domains and nothing for users, so you have to do more work to do what you describe (IMHO). > And Also how can i make the selinux understand a policy tree > *intermediate* under /etc/selinux/ and load policy from there .... Just create the directory, populate it with your policy files, and set SELINUXTYPE to it in /etc/selinux/config. Then reboot to single-user mode (with enforcing=0) and relabel against your policy, and reboot again. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-01-03 14:14 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-12-28 18:42 Newrole in targeted mode Nick Gray 2004-12-28 18:50 ` Stephen Smalley 2004-12-30 6:37 ` Jaspreet Singh 2005-01-01 22:20 ` Matthew Leinhos 2005-01-02 11:30 ` Karsten Wade 2005-01-03 5:11 ` Jaspreet Singh 2005-01-03 14:14 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.