From: Daniel J Walsh <dwalsh@redhat.com>
To: SE Linux <selinux@tycho.nsa.gov>
Subject: Rawhide updated to use getseuserbyname for logins.
Date: Fri, 14 Oct 2005 11:07:00 -0400 [thread overview]
Message-ID: <434FC994.1090203@redhat.com> (raw)
This means that gdm, pam, sshd have been update to use the seusers file
to map Linux Users to SELinux Users.
(gdm will be there tonight)
This means that people can start taking advantage of labeled files on
your system and try to create documents with different categories. You
can also generate users who will not be allowed to access these files.
How does seusers work?
A new file /etc/selinux/TYPE/seusers file has been added to all
policies. In strict and targeted policy it looks like
cat /etc/selinux/targeted/seusers
root:root:s0-s0:c0.c255
default:user_u:s0
In MLS
cat /etc/selinux/mls/seusers
root:root:s0-s15:c0.c255
default:user_u:s0
Most users will map directly to the "default" user which usually gives
user_u and Level S0. So most users do
not need to change anything.
Policy has been updated to support 256 categories and 16 sensitivity
levels (for MLS). You may need to change
your /etc/mcs.conf file for SystemHigh to reflect this change. Change
c127 to c255.
You can manipulate the seusers file to change the role/level of
individual users on your system. For example
if I added a dwalsh "selinux user" on my system and wanted to allow
maximum MCS access for dwalsh,
I would add an entry of
dwalsh:dwalsh:s0-s0:c0.c255
to the seusers file.
If I wanted to add a user, bgates, to have limited privs, but allow
access to Secret Documents c1 I would add
bgates:user_u:s0-s0:c1
(I would also define "s0:c1=Secret" in /etc/mcs.conf)
If I do not add a Linux user I get the "default" entry
default:user_u:s0
If I wanted all my users do have full MCS privs by default, I could
modify the "default" entry to
default:user_u:s0-s0:c0.c255
In strict policy you could add an entry like
dwalsh:staff_u:s0-s0:c0.c255
Genhomedircon had not been modified yet to read this though :^(
Dan
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
reply other threads:[~2005-10-14 15:08 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=434FC994.1090203@redhat.com \
--to=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.