* change login.c
@ 2002-01-06 2:38 Shaun Savage
2002-01-07 14:07 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Shaun Savage @ 2002-01-06 2:38 UTC (permalink / raw)
To: selinux
Hi
during login with selinux, the question "do you want to change context"
is asked. My feeling is that this creates complexity problem. I have
changed get_user_sid() to get_default_user_sid(). This does not confuse
"the user" also, if someone does get root this adds one more fence.
Shaun Savage
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: change login.c
2002-01-06 2:38 change login.c Shaun Savage
@ 2002-01-07 14:07 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2002-01-07 14:07 UTC (permalink / raw)
To: Shaun Savage; +Cc: selinux
On Sat, 5 Jan 2002, Shaun Savage wrote:
> during login with selinux, the question "do you want to change context"
> is asked. My feeling is that this creates complexity problem. I have
> changed get_user_sid() to get_default_user_sid(). This does not confuse
> "the user" also, if someone does get root this adds one more fence.
It seems like you are moving in the wrong direction here. Even if a user
specifies a security context to login, he is still limited by the kernel
to the set of authorized roles and domains that are legal for the user
(policy/users and policy/rbac) and that are reachable from the login
process (i.e. there must be a domain_auto_trans rule or a domain_trans
rule in login.te). So there is no real risk in permitting the user to
specify a security context at login time.
Even if you remove this support, a user can still change roles later
via newrole. I doubt that you want to remove that program and domain.
With regard to root, keep in mind a couple of points:
1) The SELinux user identity is separate from the Linux uids and can only
be set by certain trusted domains/programs. The limitations on the
SELinux role and domain are based on the SELinux user identity, not the
Linux uids, so simply becoming the Unix superuser (e.g. by penetrating
a superuser daemon or by exploiting a flaw in a setuid program) does not
change your set of authorized roles or domains. You have to actually
authenticate yourself as root to one of the trusted domains/programs.
2) You don't necessarily have to grant the "root" user access to the
sysadm_r role. You can limit root to user_r in policy/users and only
grant sysadm_r to particular users. That's up to you.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-01-07 14:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-01-06 2:38 change login.c Shaun Savage
2002-01-07 14:07 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.