Role questions

Role questions

[Artur M. Piwko]

1. When I su - from myuser:staff_r:staff_t to root I'm still myuser,
    instead of root:staff_r:staff_t. What I did wrong?
2. How can one set up initial sysadm_r password? All i see is:

# newrole -r sysadm_r
Authenticating myuser.
newrole: incorrect password for myser

Artur

-- 
Artur M. Piwko : AMP29-RIPE : ISPC:+48413496205 : jab:pipen@jabberpl.org
Akademia Swietokrzyska  ::  Uczelniane Centrum Informatyczne  ::  Kielce
PGP id:B969478F finger:35E6 E3A3 8120 F000 1375 5A1C 23A8 1A71 B969 478F
"Death is just life's way of telling you you've been fired"  --  unknown

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Role questions

[Artur M. Piwko]

Artur M. Piwko wrote:
> 1. When I su - from myuser:staff_r:staff_t to root I'm still myuser,
>    instead of root:staff_r:staff_t. What I did wrong?

Still working on it.

Naturally users are defined in /etc/selinux/src/users.

user root roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', 
`system_r') };
user myuser roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', 
`system_r') };

> 2. How can one set up initial sysadm_r password? All i see is:
> 
> # newrole -r sysadm_r
> Authenticating myuser.
> newrole: incorrect password for myser
> 

I browsed newrole.c. The problem was PAM.
This is what /etc/pam.d/newrole looked like after policycoreutils
installation:

auth     required  /lib/security/$ISA/pam_stack.so service=system-auth
account  required  /lib/security/$ISA/pam_stack.so service=system-auth
password required  /lib/security/$ISA/pam_stack.so service=system-auth
session  required  /lib/security/$ISA/pam_stack.so service=system-auth
session  optional  /lib/security/$ISA/pam_xauth.so

None of the libs were present. Removing these lines helped.
Same apply to /etc/pam.d/run_init.

-- 
Artur M. Piwko : AMP29-RIPE : ISPC:+48413496205 : jab:pipen@jabberpl.org
Akademia Swietokrzyska  ::  Uczelniane Centrum Informatyczne  ::  Kielce
PGP id:B969478F finger:35E6 E3A3 8120 F000 1375 5A1C 23A8 1A71 B969 478F
"Death is just life's way of telling you you've been fired"  --  unknown

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Role questions

[Stephen Smalley]

On Wed, 2004-09-22 at 09:35, Artur M. Piwko wrote:
> 1. When I su - from myuser:staff_r:staff_t to root I'm still myuser,
>     instead of root:staff_r:staff_t. What I did wrong?
> 2. How can one set up initial sysadm_r password? All i see is:
> 
> # newrole -r sysadm_r
> Authenticating myuser.
> newrole: incorrect password for myser

What distribution are you using as your base?  In Fedora, su uses
pam_selinux and thus changes the SELinux user identity as well.  In
other distros, su typically only changes the Linux user identity and
leaves the SELinux user identity unchanged.

newrole just re-authenticates the current user, and the policy governs
whether or not the current user is authorized for the new role via
policy/users.  The password authentication is not to authorize entrance
into the role; it just acts as a primitive form of user confirmation to
reduce the risk of malicious code changing roles without the user's
consent/awareness.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.