Question about su

Question about su

[Dennis Wronka]

[-- Attachment #1: Type: text/plain, Size: 1190 bytes --]

As I am working again on adjusting the reference policy to my distro I have 
run into a problem with su that raised the following question:

What use is su if a normal user after running su is still user_u:user_r:user_t 
and thus has no permissions to do stuff?

Sure, he's root, but as because of SELinux that alone isn't worth much, as 
being user_u still limits the user's options pretty much.

Is there anything I misunderstand here? I don't think there should be an 
automtic transition from user_r to sysadm_r, and newrole-ing this doesn't work 
as user_u doesn't have the sysadmin-role.

So, what the heck is the use of su on a SELinux-system?

To give you a little overview on what I am trying to do here with my system:
I have configured the policy to be MLS, thus split up powers to different 
roles.
root can compile a new policy in sysadm_r, but needs to be secadm_r to load 
it.
Regular users can compile stuff, root can't (at least not as sysadm_r, I might 
enable this for staff_r and then require sysadm_r to the install-process).

But for now the problem really is that su to me seems pretty useless right 
now.

Thanks and best regards,
Dennis

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: Question about su

[Dominick Grift]

On Wed, 2009-02-11 at 16:50 +0800, Dennis Wronka wrote:
> What use is su if a normal user after running su is still user_u:user_r:user_t 
> and thus has no permissions to do stuff?

user_t is an unprivileged user domain.

> Sure, he's root, but as because of SELinux that alone isn't worth much, as 
> being user_u still limits the user's options pretty much.

user_t should not use root. user_t is confined to this domain. It is not
designed to "user" domain transition.

> Is there anything I misunderstand here? I don't think there should be an 
> automtic transition from user_r to sysadm_r, and newrole-ing this doesn't work 
> as user_u doesn't have the sysadmin-role.

staff_t is the domain that can use root by first running newrole -r
sysadm_r and then su.

> So, what the heck is the use of su on a SELinux-system?

It works but just not for user_t. Map users that should be able to
"user" domain transition to privileged roles to the staff_u SELinux user
group.

hth ,Dominick

> Thanks and best regards,
> Dennis


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about su

[Dennis Wronka]

[-- Attachment #1: Type: text/plain, Size: 1736 bytes --]

Thanks. This info helped a lot.
So user_u is for regular users that are just supposed to do stuff with what 
the system offers. Anything else, like installing stuff is loaded off to users 
that are at least staff_u or above.

It's something one has to get used to, especially the part of newrole-ing 
first and afterwards using su.

On Wednesday 11 February 2009 18:46:36 Dominick Grift wrote:
> On Wed, 2009-02-11 at 16:50 +0800, Dennis Wronka wrote:
> > What use is su if a normal user after running su is still
> > user_u:user_r:user_t and thus has no permissions to do stuff?
>
> user_t is an unprivileged user domain.
>
> > Sure, he's root, but as because of SELinux that alone isn't worth much,
> > as being user_u still limits the user's options pretty much.
>
> user_t should not use root. user_t is confined to this domain. It is not
> designed to "user" domain transition.
>
> > Is there anything I misunderstand here? I don't think there should be an
> > automtic transition from user_r to sysadm_r, and newrole-ing this doesn't
> > work as user_u doesn't have the sysadmin-role.
>
> staff_t is the domain that can use root by first running newrole -r
> sysadm_r and then su.
>
> > So, what the heck is the use of su on a SELinux-system?
>
> It works but just not for user_t. Map users that should be able to
> "user" domain transition to privileged roles to the staff_u SELinux user
> group.
>
> hth ,Dominick
>
> > Thanks and best regards,
> > Dennis
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with the words "unsubscribe selinux" without quotes as the message.


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: Question about su

[Dominick Grift]

On Wed, 2009-02-11 at 21:01 +0800, Dennis Wronka wrote:
> Thanks. This info helped a lot.
> So user_u is for regular users that are just supposed to do stuff with what 
> the system offers. Anything else, like installing stuff is loaded off to users 
> that are at least staff_u or above.
> 
> It's something one has to get used to, especially the part of newrole-ing 
> first and afterwards using su.

In Fedora (targeted policy) we use sudo to transition to root and
privileged user domains. This has the advantage that one can delegate
privileged tasks without having to share roots password. It also saves
you from having to authenticate two times.

Yes user_u is for users that should never be able to do privileged
tasks.

Staff_u can domain transition to more permissive user domains.

> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> > with the words "unsubscribe selinux" without quotes as the message.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about su

[Casey Schaufler]

Dennis Wronka wrote:
> ...
>
> So, what the heck is the use of su on a SELinux-system?
An aspect of su that is frequently overlooked is that su provides
a mechanism to Switch User (that's what it's short for) and that
there are cases where you might want to perform an action as another
unprivileged user. On SELinux su should properly be thought of as
either a DAC tool or an I&A mechanism, depending on the needs of
the people to whom you're explaining the system.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.