From: Ken YANG <spng.yang@gmail.com>
To: SELinux List <selinux@tycho.nsa.gov>
Subject: three problems about normal user login in strict policy
Date: Thu, 07 Jun 2007 20:22:16 +0800 [thread overview]
Message-ID: <4667F878.9030805@gmail.com> (raw)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=GB18030, Size: 2198 bytes --]
hi all,
i studied the point from walsh about non-root X login,
see details in following thread:
http://marc.info/?l=selinux&m=118050940823692&w=2
when i login with normal user(user_u), i have some questions:
(i'm in fc7 with strict-mcs policy at svn version 2301)
1
when i login as user_u, i find i can not switch to staff_u through su,
but i notice that there is corresponding line in "default_contexts" file:
user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
sysadm_r:sysadm_t:s0
and in the policy, i found the condition of su domain transition have
satisfied, including su_exec_t entrypoint and type_transition rules,
furthermore, i also meet the constrain conditon in
su_per_role_template(), e.g. domain_role_change_exemption($1_su_t),
domain_subj_id_change_exemption($1_su_t),
domain_obj_id_change_exemption($1_su_t), and etc.
but i still can not switch staff_r:staff_t through su:
su -l staffuser
staffuser is another user, i associate it with staff_u:
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root s0-s0:c0.c1023
staffuser staff_u s0
system_u system_u s0-s0:c0.c1023
can anyone give me some hint? thanks
2
as mentioned above, if i use staffuser to login, i can newrole
to syadm_r, but this way is same with root login, i think this
is meaningless.
so how can i login with normal user(user_u), and can switch to
syadm role when performing admin tasks?
3
i declared a user in policy:
gen_user(ken, user, user_r, s0, s0)
"ken" is my linux login user, i think if login program find the
same SELinux user and linux user identity, it will use the "ken"
in the context for the initial shell process, but after i login
through tty2, and execute "id -Z", i found my user in context
was still user_u, i.e. user_u:user_r:user_t:s0, why?
thanks in advance
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2007-06-07 12:25 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-07 12:22 Ken YANG [this message]
2007-06-07 13:34 ` three problems about normal user login in strict policy Stephen Smalley
2007-06-07 13:47 ` Christopher J. PeBenito
2007-06-07 13:54 ` Stephen Smalley
2007-06-07 18:48 ` Christopher J. PeBenito
2007-06-13 2:32 ` Ken YANG
2007-06-19 7:57 ` Ken YANG
2007-06-19 11:51 ` Stephen Smalley
2007-06-19 12:09 ` Christopher J. PeBenito
2007-06-20 6:18 ` Ken YANG
2007-06-20 10:37 ` Daniel J Walsh
2007-06-20 11:40 ` Ken YANG
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4667F878.9030805@gmail.com \
--to=spng.yang@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.