Question about policy files and users

Question about policy files and users

[Michael Reilly]

I downloaded the policy files from http://www.coker.com.au/selinux/policy/
and installed them on my Slackware system along with the selinux patches,
utills, etc. from the NSA site (the August release for a 2.4.21 kernel and
the old version of the API patches).

Everything went pretty well - I am now working on cleaning up the policy to
get rid of the remaining avc denied messages.

While working on this I noticed in the policy files I downloaded (and the
original policy files  included in the downloaded files from the NSA site)
in file_contexts/types.fc this entry -

/home/jadmin/(/.*)?                     system_u:object_r:staff_home_t

(I, of course, replaced jadmin with my login name).  My question is why is
the entry not -

/home/jadmin/(/.*)?                     jadmin_u:object_r:staff_home_t

When I created new files in my login directory while the selinux kernel is
running they are labeled jadmin_u:object_r:staff_home_t

Being new to selinux I think I am missing something - why does the home
directory and the files in that directory not set to the id of the owner
(jadmin_u) instead of system_u?  And is my system doing something wrong by
labeling newly created files in my login directory
jadmin_u:object_r:staff_home_t?

BTW - I installed gentoo selinux on a different machine.  Their installation
guide indicates that the later (jadmin_u:object_r:staff_home_t) is correct
and the policy files should be edited to use the jadmin_u).

Thanks for any help you can provide.

michael
-- 
---- ---- ----
Michael Reilly    michaelr@cisco.com
    Cisco Systems, Santa Cruz, CA

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about policy files and users

[Russell Coker]

On Sat, 4 Oct 2003 14:00, Michael Reilly wrote:
> /home/jadmin/(/.*)?                     system_u:object_r:staff_home_t
>
> (I, of course, replaced jadmin with my login name).  My question is why is
> the entry not -
>
> /home/jadmin/(/.*)?                     jadmin_u:object_r:staff_home_t
>
> When I created new files in my login directory while the selinux kernel is
> running they are labeled jadmin_u:object_r:staff_home_t

You are correct that it might be a better default to have the account identity 
specified in the file contexts so that after you login for the first time you 
have the ability to use "chcon" to change the context (try changing the 
context of a file from system_u:object_r:staff_home_t and you'll discover 
that it's denied by the constraints file).

However the problem is labeling /home.  I am considering a special entry for 
setfiles to allow specifying the identity.  Until I get that done there's no 
way of properly labeling /home, and while /home does not have identities 
assigned there seems little point in assigning them to jadmin.

> Being new to selinux I think I am missing something - why does the home
> directory and the files in that directory not set to the id of the owner
> (jadmin_u) instead of system_u?  And is my system doing something wrong by
> labeling newly created files in my login directory
> jadmin_u:object_r:staff_home_t?

No.  The labeling of the files with your identity is desired.  That gives you 
slightly greater access to them than you would otherwise have.  When you 
create a file (or it is created on your behalf by some system process) you 
have the possibility of relabeling it to a different type.  When someone else 
in the same role creates a file then you will not be permitted to relabel it.

> BTW - I installed gentoo selinux on a different machine.  Their
> installation guide indicates that the later
> (jadmin_u:object_r:staff_home_t) is correct and the policy files should be
> edited to use the jadmin_u).

Yes, perhaps we should change the default policy.  But until I do some more 
coding on setfiles the big problem will remain unsolved.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about policy files and users

[Dale Amon]

On Fri, Oct 03, 2003 at 09:00:14PM -0700, Michael Reilly wrote:
> /home/jadmin/(/.*)?                     system_u:object_r:staff_home_t
> 
> (I, of course, replaced jadmin with my login name).  My question is why is
> the entry not -
> 
> /home/jadmin/(/.*)?                     jadmin_u:object_r:staff_home_t
> 

Perhaps because an admin user will have sensitive files and 
sysadmin scripts in their directory. If not, you could 
change the file labeling.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.