Re: Question about su

[Dennis Wronka <linuxweb@gmx.net>]

[-- Attachment #1: Type: text/plain, Size: 1736 bytes --]

Thanks. This info helped a lot.
So user_u is for regular users that are just supposed to do stuff with what 
the system offers. Anything else, like installing stuff is loaded off to users 
that are at least staff_u or above.

It's something one has to get used to, especially the part of newrole-ing 
first and afterwards using su.

On Wednesday 11 February 2009 18:46:36 Dominick Grift wrote:
> On Wed, 2009-02-11 at 16:50 +0800, Dennis Wronka wrote:
> > What use is su if a normal user after running su is still
> > user_u:user_r:user_t and thus has no permissions to do stuff?
>
> user_t is an unprivileged user domain.
>
> > Sure, he's root, but as because of SELinux that alone isn't worth much,
> > as being user_u still limits the user's options pretty much.
>
> user_t should not use root. user_t is confined to this domain. It is not
> designed to "user" domain transition.
>
> > Is there anything I misunderstand here? I don't think there should be an
> > automtic transition from user_r to sysadm_r, and newrole-ing this doesn't
> > work as user_u doesn't have the sysadmin-role.
>
> staff_t is the domain that can use root by first running newrole -r
> sysadm_r and then su.
>
> > So, what the heck is the use of su on a SELinux-system?
>
> It works but just not for user_t. Map users that should be able to
> "user" domain transition to privileged roles to the staff_u SELinux user
> group.
>
> hth ,Dominick
>
> > Thanks and best regards,
> > Dennis
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with the words "unsubscribe selinux" without quotes as the message.


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]