Rawhide updated to use getseuserbyname for logins.

All of lore.kernel.org
 help / color / mirror / Atom feed

* Rawhide updated to use getseuserbyname for logins.
@ 2005-10-14 15:07 Daniel J Walsh
  0 siblings, 0 replies; only message in thread
From: Daniel J Walsh @ 2005-10-14 15:07 UTC (permalink / raw)
  To: SE Linux

This means that gdm, pam, sshd have been update to use the seusers file 
to map Linux Users to SELinux Users.
(gdm will be there tonight)

This means that people can start taking advantage of labeled files on 
your system and try to create documents with different categories.  You 
can also generate users who will not be allowed to access these files.

How does seusers work?

A new file /etc/selinux/TYPE/seusers file has been added to all 
policies.  In strict and targeted policy it looks like

 cat /etc/selinux/targeted/seusers
root:root:s0-s0:c0.c255
default:user_u:s0

In MLS
cat /etc/selinux/mls/seusers
root:root:s0-s15:c0.c255
default:user_u:s0

Most users will map directly to the "default" user which usually gives 
user_u and Level S0.  So most users do
not need to change anything.

Policy has been updated to support 256 categories and 16 sensitivity 
levels (for MLS).  You may need to change
your /etc/mcs.conf file for SystemHigh to reflect this change. Change 
c127 to c255.

You can manipulate the seusers file to change the role/level of 
individual users on your system.  For example
if I added a dwalsh "selinux user" on my system and wanted to allow 
maximum MCS access for dwalsh,
I would add an entry of

dwalsh:dwalsh:s0-s0:c0.c255
to the seusers file.

If I wanted to add a user, bgates,  to have limited privs, but allow 
access to Secret Documents c1 I would add
bgates:user_u:s0-s0:c1

(I would also define "s0:c1=Secret" in /etc/mcs.conf)

If I do not add a Linux user I get the "default" entry

default:user_u:s0

If I wanted all my users do have full MCS privs by default, I could 
modify the "default" entry to

default:user_u:s0-s0:c0.c255

In strict policy you could add an entry like

dwalsh:staff_u:s0-s0:c0.c255

Genhomedircon had not been modified yet to read this though  :^(

Dan

-- 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2005-10-14 15:08 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-14 15:07 Rawhide updated to use getseuserbyname for logins Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.