system_r and sysadm_r roles

system_r and sysadm_r roles

[Carlos Anísio Monteiro]

Helo.

I´d  like to know why there is a transition permission between system_r 
and sysadm_r.

Example:  allow system_r sysadm_r;

This would can induce the a problem of security ?

Thanks.

-- 
Carlos Anísio Monteiro	<monteiro@ipen.br>
IPEN-CNEN/SP
São Paulo - Brasil



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: system_r and sysadm_r roles

[Stephen Smalley]

On Mon, 2004-03-08 at 06:39, Carlos Anísio Monteiro wrote:
> I´d  like to know why there is a transition permission between system_r 
> and sysadm_r.
> 
> Example:  allow system_r sysadm_r;

The login process (which is a system_r process) transitions to sysadm_r
for administrative logins.  

> This would can induce the a problem of security ?

No, domain transitions are the key.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: system_r and sysadm_r roles

[Carlos Anísio Monteiro]

[-- Attachment #1: Type: text/plain, Size: 377 bytes --]

Stephen Smalley wrote:

>>This would can induce the a problem of security ?
>>    
>>
>
>No, domain transitions are the key.
>
Sorry, but don´t understand this. If a fail (that it provide a shell 
root) to occur in a system process, can´t occur a transition to sysadm_r 
role ?

Many thanks.

-- 
Carlos Anísio Monteiro	<monteiro@ipen.br>
IPEN-CNEN/SP
São Paulo - Brasil



[-- Attachment #2: Type: text/html, Size: 856 bytes --]

Re: system_r and sysadm_r roles

[Stephen Smalley]

On Mon, 2004-03-08 at 12:14, Carlos Anísio Monteiro wrote:
> Sorry, but don´t understand this. If a fail (that it provide a shell
> root) to occur in a system process, can´t occur a transition to
> sysadm_r role ?

Not unless the domain can transition to a domain associated with
sysadm_r, and the role transition meets the boolean condition specified
in policy/constraints for role changes.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: system_r and sysadm_r roles

[Stephen Smalley]

On Mon, 2004-03-08 at 12:28, Stephen Smalley wrote:
> On Mon, 2004-03-08 at 12:14, Carlos Anísio Monteiro wrote:
> > Sorry, but don´t understand this. If a fail (that it provide a shell
> > root) to occur in a system process, can´t occur a transition to
> > sysadm_r role ?
> 
> Not unless the domain can transition to a domain associated with
> sysadm_r, and the role transition meets the boolean condition specified
> in policy/constraints for role changes.

Oh, and it would also have to transition to a user identity authorized
for sysadm_r, which would require meeting another boolean condition
specified in policy/constraints for user identity changes.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.