three problems about normal user login in strict policy

three problems about normal user login in strict policy

[Ken YANG]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=GB18030, Size: 2198 bytes --]


hi all,

i studied the point from walsh about non-root X login,
see details in following thread:

http://marc.info/?l=selinux&m=118050940823692&w=2

when i login with normal user(user_u), i have some questions:
(i'm in fc7 with strict-mcs policy at svn version 2301)

1
when i login as user_u, i find i can not switch to staff_u through su,
but i notice that there is corresponding line in "default_contexts" file:

user_r:user_su_t:s0     staff_r:staff_t:s0 user_r:user_t:s0
sysadm_r:sysadm_t:s0

and in the policy, i found the condition of su domain transition have
satisfied, including su_exec_t entrypoint and type_transition rules,
furthermore, i also meet the constrain conditon in
su_per_role_template(), e.g. domain_role_change_exemption($1_su_t),
domain_subj_id_change_exemption($1_su_t),
domain_obj_id_change_exemption($1_su_t), and etc.

but i still can not switch staff_r:staff_t through su:

su -l staffuser

staffuser is another user, i associate it with staff_u:

Login Name                SELinux User              MLS/MCS Range


__default__               user_u                    s0

root                      root                      s0-s0:c0.c1023

staffuser                 staff_u                   s0

system_u                  system_u                  s0-s0:c0.c1023

can anyone give me some hint? thanks


2
as mentioned above, if i use staffuser to login, i can newrole
to syadm_r, but this way is same with root login, i think this
is meaningless.

so how can i login with normal user(user_u), and can switch to
syadm role when performing admin tasks?

3
i declared a user in policy:

gen_user(ken, user, user_r, s0, s0)

"ken" is my linux login user, i think if login program find the
same SELinux user and linux user identity, it will use the "ken"
in the context for the initial shell process, but after i login
through tty2, and execute "id -Z", i found my user in context
was still user_u, i.e. user_u:user_r:user_t:s0, why?

thanks in advance

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: three problems about normal user login in strict policy

[Stephen Smalley]

On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
> hi all,
> 
> i studied the point from walsh about non-root X login,
> see details in following thread:
> 
> http://marc.info/?l=selinux&m=118050940823692&w=2
> 
> when i login with normal user(user_u), i have some questions:
> (i'm in fc7 with strict-mcs policy at svn version 2301)
> 
> 1
> when i login as user_u, i find i can not switch to staff_u through su,
> but i notice that there is corresponding line in "default_contexts" file:

The su / pam_selinux integration was reverted a while ago, so su no
longer changes contexts at all, just like in the original SELinux.  
Thus, the SELinux user identity is once again stable for the entire
session, and you have to use newrole to switch roles.  And user_r isn't
generally allowed to switch to staff_r; you need to map your Linux user
identity to staff_u via semanage.

> 
> user_r:user_su_t:s0     staff_r:staff_t:s0 user_r:user_t:s0
> sysadm_r:sysadm_t:s0
> 
> and in the policy, i found the condition of su domain transition have
> satisfied, including su_exec_t entrypoint and type_transition rules,
> furthermore, i also meet the constrain conditon in
> su_per_role_template(), e.g. domain_role_change_exemption($1_su_t),
> domain_subj_id_change_exemption($1_su_t),
> domain_obj_id_change_exemption($1_su_t), and etc.

Hmm...seems like those should be removed from policy (unless some distro
tunable is set for older fedora or rhel4), as su should no longer be
making such transitions.

> 
> but i still can not switch staff_r:staff_t through su:
> 
> su -l staffuser
> 
> staffuser is another user, i associate it with staff_u:
> 
> Login Name                SELinux User              MLS/MCS Range
> 
> 
> __default__               user_u                    s0
> 
> root                      root                      s0-s0:c0.c1023
> 
> staffuser                 staff_u                   s0
> 
> system_u                  system_u                  s0-s0:c0.c1023
> 
> can anyone give me some hint? thanks
> 
> 
> 2
> as mentioned above, if i use staffuser to login, i can newrole
> to syadm_r, but this way is same with root login, i think this
> is meaningless.
> 
> so how can i login with normal user(user_u), and can switch to
> syadm role when performing admin tasks?
> 
> 3
> i declared a user in policy:
> 
> gen_user(ken, user, user_r, s0, s0)
> 
> "ken" is my linux login user, i think if login program find the
> same SELinux user and linux user identity, it will use the "ken"
> in the context for the initial shell process, but after i login
> through tty2, and execute "id -Z", i found my user in context
> was still user_u, i.e. user_u:user_r:user_t:s0, why?
> 
> thanks in advance
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: three problems about normal user login in strict policy

[Christopher J. PeBenito]

On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote:
> On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
> > 
> > i studied the point from walsh about non-root X login,
> > see details in following thread:
> > 
> > http://marc.info/?l=selinux&m=118050940823692&w=2
> > 
> > when i login with normal user(user_u), i have some questions:
> > (i'm in fc7 with strict-mcs policy at svn version 2301)
> > 
> > 1
> > when i login as user_u, i find i can not switch to staff_u through su,
> > but i notice that there is corresponding line in "default_contexts" file:
> 
> The su / pam_selinux integration was reverted a while ago, so su no
> longer changes contexts at all, just like in the original SELinux.  
> Thus, the SELinux user identity is once again stable for the entire
> session, and you have to use newrole to switch roles.  And user_r isn't
> generally allowed to switch to staff_r; you need to map your Linux user
> identity to staff_u via semanage.
> 
> > 
> > user_r:user_su_t:s0     staff_r:staff_t:s0 user_r:user_t:s0
> > sysadm_r:sysadm_t:s0
> > 
> > and in the policy, i found the condition of su domain transition have
> > satisfied, including su_exec_t entrypoint and type_transition rules,
> > furthermore, i also meet the constrain conditon in
> > su_per_role_template(), e.g. domain_role_change_exemption($1_su_t),
> > domain_subj_id_change_exemption($1_su_t),
> > domain_obj_id_change_exemption($1_su_t), and etc.
> 
> Hmm...seems like those should be removed from policy (unless some distro
> tunable is set for older fedora or rhel4), as su should no longer be
> making such transitions.

Its in a rhel4 build option.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: three problems about normal user login in strict policy

[Stephen Smalley]

On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote:
> On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote:
> > On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
> > > 
> > > i studied the point from walsh about non-root X login,
> > > see details in following thread:
> > > 
> > > http://marc.info/?l=selinux&m=118050940823692&w=2
> > > 
> > > when i login with normal user(user_u), i have some questions:
> > > (i'm in fc7 with strict-mcs policy at svn version 2301)
> > > 
> > > 1
> > > when i login as user_u, i find i can not switch to staff_u through su,
> > > but i notice that there is corresponding line in "default_contexts" file:
> > 
> > The su / pam_selinux integration was reverted a while ago, so su no
> > longer changes contexts at all, just like in the original SELinux.  
> > Thus, the SELinux user identity is once again stable for the entire
> > session, and you have to use newrole to switch roles.  And user_r isn't
> > generally allowed to switch to staff_r; you need to map your Linux user
> > identity to staff_u via semanage.
> > 
> > > 
> > > user_r:user_su_t:s0     staff_r:staff_t:s0 user_r:user_t:s0
> > > sysadm_r:sysadm_t:s0
> > > 
> > > and in the policy, i found the condition of su domain transition have
> > > satisfied, including su_exec_t entrypoint and type_transition rules,
> > > furthermore, i also meet the constrain conditon in
> > > su_per_role_template(), e.g. domain_role_change_exemption($1_su_t),
> > > domain_subj_id_change_exemption($1_su_t),
> > > domain_obj_id_change_exemption($1_su_t), and etc.
> > 
> > Hmm...seems like those should be removed from policy (unless some distro
> > tunable is set for older fedora or rhel4), as su should no longer be
> > making such transitions.
> 
> Its in a rhel4 build option.

Hmmm...so why is it still showing up in F7 strict policy?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: three problems about normal user login in strict policy

[Christopher J. PeBenito]

On Thu, 2007-06-07 at 09:54 -0400, Stephen Smalley wrote:
> On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote:
> > On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote:
> > > On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
> > > > 
> > > > i studied the point from walsh about non-root X login,
> > > > see details in following thread:
> > > > 
> > > > http://marc.info/?l=selinux&m=118050940823692&w=2
> > > > 
> > > > when i login with normal user(user_u), i have some questions:
> > > > (i'm in fc7 with strict-mcs policy at svn version 2301)
> > > > 
> > > > 1
> > > > when i login as user_u, i find i can not switch to staff_u through su,
> > > > but i notice that there is corresponding line in "default_contexts" file:
> > > 
> > > The su / pam_selinux integration was reverted a while ago, so su no
> > > longer changes contexts at all, just like in the original SELinux.  
> > > Thus, the SELinux user identity is once again stable for the entire
> > > session, and you have to use newrole to switch roles.  And user_r isn't
> > > generally allowed to switch to staff_r; you need to map your Linux user
> > > identity to staff_u via semanage.
> > > 
> > > > 
> > > > user_r:user_su_t:s0     staff_r:staff_t:s0 user_r:user_t:s0
> > > > sysadm_r:sysadm_t:s0
> > > > 
> > > > and in the policy, i found the condition of su domain transition have
> > > > satisfied, including su_exec_t entrypoint and type_transition rules,
> > > > furthermore, i also meet the constrain conditon in
> > > > su_per_role_template(), e.g. domain_role_change_exemption($1_su_t),
> > > > domain_subj_id_change_exemption($1_su_t),
> > > > domain_obj_id_change_exemption($1_su_t), and etc.
> > > 
> > > Hmm...seems like those should be removed from policy (unless some distro
> > > tunable is set for older fedora or rhel4), as su should no longer be
> > > making such transitions.
> > 
> > Its in a rhel4 build option.
> 
> Hmmm...so why is it still showing up in F7 strict policy?

He's just looking at the su.if header (hence the $1_su_t references),
which is just copied out of the refpolicy sources as is.  So its in the
headers, but shouldn't be in the actual policy.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: three problems about normal user login in strict policy

[Ken YANG]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=GB18030, Size: 2564 bytes --]


thanks for all of your reply.

i am learning walsh blog, i hope i can figure out all points
about user management in SELinux through all of your replies,
walsh blog, policy source, and etc...

anyway, thanks again


Christopher J. PeBenito wrote:
> On Thu, 2007-06-07 at 09:54 -0400, Stephen Smalley wrote:
>> On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote:
>>> On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote:
>>>> On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
>>>>> i studied the point from walsh about non-root X login,
>>>>> see details in following thread:
>>>>>
>>>>> http://marc.info/?l=selinux&m=118050940823692&w=2
>>>>>
>>>>> when i login with normal user(user_u), i have some questions:
>>>>> (i'm in fc7 with strict-mcs policy at svn version 2301)
>>>>>
>>>>> 1
>>>>> when i login as user_u, i find i can not switch to staff_u through su,
>>>>> but i notice that there is corresponding line in "default_contexts" file:
>>>> The su / pam_selinux integration was reverted a while ago, so su no
>>>> longer changes contexts at all, just like in the original SELinux.  
>>>> Thus, the SELinux user identity is once again stable for the entire
>>>> session, and you have to use newrole to switch roles.  And user_r isn't
>>>> generally allowed to switch to staff_r; you need to map your Linux user
>>>> identity to staff_u via semanage.
>>>>
>>>>> user_r:user_su_t:s0     staff_r:staff_t:s0 user_r:user_t:s0
>>>>> sysadm_r:sysadm_t:s0
>>>>>
>>>>> and in the policy, i found the condition of su domain transition have
>>>>> satisfied, including su_exec_t entrypoint and type_transition rules,
>>>>> furthermore, i also meet the constrain conditon in
>>>>> su_per_role_template(), e.g. domain_role_change_exemption($1_su_t),
>>>>> domain_subj_id_change_exemption($1_su_t),
>>>>> domain_obj_id_change_exemption($1_su_t), and etc.
>>>> Hmm...seems like those should be removed from policy (unless some distro
>>>> tunable is set for older fedora or rhel4), as su should no longer be
>>>> making such transitions.
>>> Its in a rhel4 build option.
>> Hmmm...so why is it still showing up in F7 strict policy?
> 
> He's just looking at the su.if header (hence the $1_su_t references),
> which is just copied out of the refpolicy sources as is.  So its in the
> headers, but shouldn't be in the actual policy.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: three problems about normal user login in strict policy

[Ken YANG]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030, Size: 3233 bytes --]

Christopher J. PeBenito wrote:
> On Thu, 2007-06-07 at 09:54 -0400, Stephen Smalley wrote:
>> On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote:
>>> On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote:
>>>> On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
>>>>> i studied the point from walsh about non-root X login,
>>>>> see details in following thread:
>>>>>
>>>>> http://marc.info/?l=selinux&m=118050940823692&w=2
>>>>>
>>>>> when i login with normal user(user_u), i have some questions:
>>>>> (i'm in fc7 with strict-mcs policy at svn version 2301)
>>>>>
>>>>> 1
>>>>> when i login as user_u, i find i can not switch to staff_u through su,
>>>>> but i notice that there is corresponding line in "default_contexts" file:
>>>> The su / pam_selinux integration was reverted a while ago, so su no
>>>> longer changes contexts at all, just like in the original SELinux.  
>>>> Thus, the SELinux user identity is once again stable for the entire
>>>> session, and you have to use newrole to switch roles.  And user_r isn't
>>>> generally allowed to switch to staff_r; you need to map your Linux user
>>>> identity to staff_u via semanage.

sorry for reply so late, i just covered walsh's blog, and
reviewed some points about selinux user, but i still had 2
questions:

now that su/pam_selinux will not change selinux user id,
and user_r cannt switch to staff_r, what is the function
of "user_r:user_su_t:s0 staff_r:staff_t:s0..." line in
"default_context", and where is it used?

another question is:

i declared a user in policy:

gen_user(ken, user, user_r, s0, s0)

"ken" is my linux login user, i think if login program find the
same SELinux user and linux user identity, it will use the "ken"
in the context for the initial shell process, but after i login
through tty2, and execute "id -Z", i found my user in context
was still user_u, i.e. user_u:user_r:user_t:s0.

is there something i missing?

>>>>
>>>>> user_r:user_su_t:s0     staff_r:staff_t:s0 user_r:user_t:s0
>>>>> sysadm_r:sysadm_t:s0
>>>>>
>>>>> and in the policy, i found the condition of su domain transition have
>>>>> satisfied, including su_exec_t entrypoint and type_transition rules,
>>>>> furthermore, i also meet the constrain conditon in
>>>>> su_per_role_template(), e.g. domain_role_change_exemption($1_su_t),
>>>>> domain_subj_id_change_exemption($1_su_t),
>>>>> domain_obj_id_change_exemption($1_su_t), and etc.
>>>> Hmm...seems like those should be removed from policy (unless some distro
>>>> tunable is set for older fedora or rhel4), as su should no longer be
>>>> making such transitions.
>>> Its in a rhel4 build option.
>> Hmmm...so why is it still showing up in F7 strict policy?
> 
> He's just looking at the su.if header (hence the $1_su_t references),
> which is just copied out of the refpolicy sources as is.  So its in the
> headers, but shouldn't be in the actual policy.

sorry for omitting this point, i deliberately include these calls for
testing, which will not be in the actual policy.

> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: three problems about normal user login in strict policy

[Stephen Smalley]

On Tue, 2007-06-19 at 15:57 +0800, Ken YANG wrote:
> Christopher J. PeBenito wrote:
> > On Thu, 2007-06-07 at 09:54 -0400, Stephen Smalley wrote:
> >> On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote:
> >>> On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote:
> >>>> On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
> >>>>> i studied the point from walsh about non-root X login,
> >>>>> see details in following thread:
> >>>>>
> >>>>> http://marc.info/?l=selinux&m=118050940823692&w=2
> >>>>>
> >>>>> when i login with normal user(user_u), i have some questions:
> >>>>> (i'm in fc7 with strict-mcs policy at svn version 2301)
> >>>>>
> >>>>> 1
> >>>>> when i login as user_u, i find i can not switch to staff_u through su,
> >>>>> but i notice that there is corresponding line in "default_contexts" file:
> >>>> The su / pam_selinux integration was reverted a while ago, so su no
> >>>> longer changes contexts at all, just like in the original SELinux.  
> >>>> Thus, the SELinux user identity is once again stable for the entire
> >>>> session, and you have to use newrole to switch roles.  And user_r isn't
> >>>> generally allowed to switch to staff_r; you need to map your Linux user
> >>>> identity to staff_u via semanage.
> 
> sorry for reply so late, i just covered walsh's blog, and
> reviewed some points about selinux user, but i still had 2
> questions:
> 
> now that su/pam_selinux will not change selinux user id,
> and user_r cannt switch to staff_r, what is the function
> of "user_r:user_su_t:s0 staff_r:staff_t:s0..." line in
> "default_context", and where is it used?

They are obsolete and can be removed, unless they are just being left
for compatibility in case someone wants to re-insert pam_selinux
into /etc/pam.d/su.

> another question is:
> 
> i declared a user in policy:
> 
> gen_user(ken, user, user_r, s0, s0)

Unnecessary - you should be mapping Linux usernames to SELinux users via
semanage login.  The mapping is then stored
in /etc/selinux/$SELINUXTYPE/seusers.  It is not necessary anymore to
add the Linux usernames to the kernel policy; you can just map them to
SELinux users already defined in the kernel policy, where those SELinux
users are generic ways of identifying authorized role sets.

> "ken" is my linux login user, i think if login program find the
> same SELinux user and linux user identity, it will use the "ken"
> in the context for the initial shell process, but after i login
> through tty2, and execute "id -Z", i found my user in context
> was still user_u, i.e. user_u:user_r:user_t:s0.
> 
> is there something i missing?

Yes, seusers.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: three problems about normal user login in strict policy

[Christopher J. PeBenito]

On Tue, 2007-06-19 at 07:51 -0400, Stephen Smalley wrote:
> On Tue, 2007-06-19 at 15:57 +0800, Ken YANG wrote:
> > Christopher J. PeBenito wrote:
> > > On Thu, 2007-06-07 at 09:54 -0400, Stephen Smalley wrote:
> > >> On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote:
> > >>> On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote:
> > >>>> On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
> > >>>>> i studied the point from walsh about non-root X login,
> > >>>>> see details in following thread:
> > >>>>>
> > >>>>> http://marc.info/?l=selinux&m=118050940823692&w=2
> > >>>>>
> > >>>>> when i login with normal user(user_u), i have some questions:
> > >>>>> (i'm in fc7 with strict-mcs policy at svn version 2301)
> > >>>>>
> > >>>>> 1
> > >>>>> when i login as user_u, i find i can not switch to staff_u through su,
> > >>>>> but i notice that there is corresponding line in "default_contexts" file:
> > >>>> The su / pam_selinux integration was reverted a while ago, so su no
> > >>>> longer changes contexts at all, just like in the original SELinux.  
> > >>>> Thus, the SELinux user identity is once again stable for the entire
> > >>>> session, and you have to use newrole to switch roles.  And user_r isn't
> > >>>> generally allowed to switch to staff_r; you need to map your Linux user
> > >>>> identity to staff_u via semanage.
> > 
> > sorry for reply so late, i just covered walsh's blog, and
> > reviewed some points about selinux user, but i still had 2
> > questions:
> > 
> > now that su/pam_selinux will not change selinux user id,
> > and user_r cannt switch to staff_r, what is the function
> > of "user_r:user_su_t:s0 staff_r:staff_t:s0..." line in
> > "default_context", and where is it used?
> 
> They are obsolete and can be removed, unless they are just being left
> for compatibility in case someone wants to re-insert pam_selinux
> into /etc/pam.d/su.

They remain for RHEL4 support.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: three problems about normal user login in strict policy

[Ken YANG]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=GB18030, Size: 3251 bytes --]

Stephen Smalley wrote:
> On Tue, 2007-06-19 at 15:57 +0800, Ken YANG wrote:
>> Christopher J. PeBenito wrote:
>>> On Thu, 2007-06-07 at 09:54 -0400, Stephen Smalley wrote:
>>>> On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote:
>>>>> On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote:
>>>>>> On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
>>>>>>> i studied the point from walsh about non-root X login,
>>>>>>> see details in following thread:
>>>>>>>
>>>>>>> http://marc.info/?l=selinux&m=118050940823692&w=2
>>>>>>>
>>>>>>> when i login with normal user(user_u), i have some questions:
>>>>>>> (i'm in fc7 with strict-mcs policy at svn version 2301)
>>>>>>>
>>>>>>> 1
>>>>>>> when i login as user_u, i find i can not switch to staff_u through su,
>>>>>>> but i notice that there is corresponding line in "default_contexts" file:
>>>>>> The su / pam_selinux integration was reverted a while ago, so su no
>>>>>> longer changes contexts at all, just like in the original SELinux.  
>>>>>> Thus, the SELinux user identity is once again stable for the entire
>>>>>> session, and you have to use newrole to switch roles.  And user_r isn't
>>>>>> generally allowed to switch to staff_r; you need to map your Linux user
>>>>>> identity to staff_u via semanage.
>> sorry for reply so late, i just covered walsh's blog, and
>> reviewed some points about selinux user, but i still had 2
>> questions:
>>
>> now that su/pam_selinux will not change selinux user id,
>> and user_r cannt switch to staff_r, what is the function
>> of "user_r:user_su_t:s0 staff_r:staff_t:s0..." line in
>> "default_context", and where is it used?
> 
> They are obsolete and can be removed, unless they are just being left
> for compatibility in case someone wants to re-insert pam_selinux
> into /etc/pam.d/su.

thanks, smalley and pebenito.

BTW, as you know, i am not English-native, and know little about
english culture, so i'm not sure is it appropriate to call your
first name directly? if impolite, please correct me


> 
>> another question is:
>>
>> i declared a user in policy:
>>
>> gen_user(ken, user, user_r, s0, s0)
> 
> Unnecessary - you should be mapping Linux usernames to SELinux users via
> semanage login.  The mapping is then stored
> in /etc/selinux/$SELINUXTYPE/seusers.  It is not necessary anymore to
> add the Linux usernames to the kernel policy; you can just map them to
> SELinux users already defined in the kernel policy, where those SELinux
> users are generic ways of identifying authorized role sets.

i understand what you mean, originally, i want to validate my guess,
but as you said, it is unnecessary. anyway, thanks

> 
>> "ken" is my linux login user, i think if login program find the
>> same SELinux user and linux user identity, it will use the "ken"
>> in the context for the initial shell process, but after i login
>> through tty2, and execute "id -Z", i found my user in context
>> was still user_u, i.e. user_u:user_r:user_t:s0.
>>
>> is there something i missing?
> 
> Yes, seusers.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: three problems about normal user login in strict policy

[Daniel J Walsh]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 3571 bytes --]

Ken YANG wrote:
> Stephen Smalley wrote:
>   
>> On Tue, 2007-06-19 at 15:57 +0800, Ken YANG wrote:
>>     
>>> Christopher J. PeBenito wrote:
>>>       
>>>> On Thu, 2007-06-07 at 09:54 -0400, Stephen Smalley wrote:
>>>>         
>>>>> On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote:
>>>>>           
>>>>>> On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote:
>>>>>>             
>>>>>>> On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
>>>>>>>               
>>>>>>>> i studied the point from walsh about non-root X login,
>>>>>>>> see details in following thread:
>>>>>>>>
>>>>>>>> http://marc.info/?l=selinux&m=118050940823692&w=2
>>>>>>>>
>>>>>>>> when i login with normal user(user_u), i have some questions:
>>>>>>>> (i'm in fc7 with strict-mcs policy at svn version 2301)
>>>>>>>>
>>>>>>>> 1
>>>>>>>> when i login as user_u, i find i can not switch to staff_u through su,
>>>>>>>> but i notice that there is corresponding line in "default_contexts" file:
>>>>>>>>                 
>>>>>>> The su / pam_selinux integration was reverted a while ago, so su no
>>>>>>> longer changes contexts at all, just like in the original SELinux.  
>>>>>>> Thus, the SELinux user identity is once again stable for the entire
>>>>>>> session, and you have to use newrole to switch roles.  And user_r isn't
>>>>>>> generally allowed to switch to staff_r; you need to map your Linux user
>>>>>>> identity to staff_u via semanage.
>>>>>>>               
>>> sorry for reply so late, i just covered walsh's blog, and
>>> reviewed some points about selinux user, but i still had 2
>>> questions:
>>>
>>> now that su/pam_selinux will not change selinux user id,
>>> and user_r cannt switch to staff_r, what is the function
>>> of "user_r:user_su_t:s0 staff_r:staff_t:s0..." line in
>>> "default_context", and where is it used?
>>>       
>> They are obsolete and can be removed, unless they are just being left
>> for compatibility in case someone wants to re-insert pam_selinux
>> into /etc/pam.d/su.
>>     
>
> thanks, smalley and pebenito.
>
> BTW, as you know, i am not English-native, and know little about
> english culture, so i'm not sure is it appropriate to call your
> first name directly? if impolite, please correct me
>
>   
First names are fine.
>   
>>> another question is:
>>>
>>> i declared a user in policy:
>>>
>>> gen_user(ken, user, user_r, s0, s0)
>>>       
>> Unnecessary - you should be mapping Linux usernames to SELinux users via
>> semanage login.  The mapping is then stored
>> in /etc/selinux/$SELINUXTYPE/seusers.  It is not necessary anymore to
>> add the Linux usernames to the kernel policy; you can just map them to
>> SELinux users already defined in the kernel policy, where those SELinux
>> users are generic ways of identifying authorized role sets.
>>     
>
> i understand what you mean, originally, i want to validate my guess,
> but as you said, it is unnecessary. anyway, thanks
>
>   
>>> "ken" is my linux login user, i think if login program find the
>>> same SELinux user and linux user identity, it will use the "ken"
>>> in the context for the initial shell process, but after i login
>>> through tty2, and execute "id -Z", i found my user in context
>>> was still user_u, i.e. user_u:user_r:user_t:s0.
>>>
>>> is there something i missing?
>>>       
>> Yes, seusers.
>>
>>     
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: three problems about normal user login in strict policy

[Ken YANG]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030, Size: 3214 bytes --]

Daniel J Walsh wrote:
> Ken YANG wrote:
>> Stephen Smalley wrote:
>>  
>>> On Tue, 2007-06-19 at 15:57 +0800, Ken YANG wrote:
>>>    
>>>> Christopher J. PeBenito wrote:
>>>>      
>>>>> On Thu, 2007-06-07 at 09:54 -0400, Stephen Smalley wrote:
>>>>>        
>>>>>> On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote:
>>>>>>          
>>>>>>> On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote:
>>>>>>>            
>>>>>>>> On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
>>>>>>>>              
>>>>>>>>> i studied the point from walsh about non-root X login,
>>>>>>>>> see details in following thread:
>>>>>>>>>
>>>>>>>>> http://marc.info/?l=selinux&m=118050940823692&w=2
>>>>>>>>>
>>>>>>>>> when i login with normal user(user_u), i have some questions:
>>>>>>>>> (i'm in fc7 with strict-mcs policy at svn version 2301)
>>>>>>>>>
>>>>>>>>> 1
>>>>>>>>> when i login as user_u, i find i can not switch to staff_u
>>>>>>>>> through su,
>>>>>>>>> but i notice that there is corresponding line in
>>>>>>>>> "default_contexts" file:
>>>>>>>>>                 
>>>>>>>> The su / pam_selinux integration was reverted a while ago, so su no
>>>>>>>> longer changes contexts at all, just like in the original
>>>>>>>> SELinux.  Thus, the SELinux user identity is once again stable
>>>>>>>> for the entire
>>>>>>>> session, and you have to use newrole to switch roles.  And
>>>>>>>> user_r isn't
>>>>>>>> generally allowed to switch to staff_r; you need to map your
>>>>>>>> Linux user
>>>>>>>> identity to staff_u via semanage.
>>>>>>>>               
>>>> sorry for reply so late, i just covered walsh's blog, and
>>>> reviewed some points about selinux user, but i still had 2
>>>> questions:
>>>>
>>>> now that su/pam_selinux will not change selinux user id,
>>>> and user_r cannt switch to staff_r, what is the function
>>>> of "user_r:user_su_t:s0 staff_r:staff_t:s0..." line in
>>>> "default_context", and where is it used?
>>>>       
>>> They are obsolete and can be removed, unless they are just being left
>>> for compatibility in case someone wants to re-insert pam_selinux
>>> into /etc/pam.d/su.
>>>     
>>
>> thanks, smalley and pebenito.
>>
>> BTW, as you know, i am not English-native, and know little about
>> english culture, so i'm not sure is it appropriate to call your
>> first name directly? if impolite, please correct me
>>
>>   
> First names are fine.

thanks.

at first, i think i should call you first name, because foreign
friends in our country often call me the first name(ken).

but many people will call the president of US "bush"(as i know,
bush is his last name), and when i am watching NBA, you call
"Ming YAO" as YAO (Ming YAO is a chinese basketball player,
YAO is his last name), so i change to call you last name,
but i am afraid i will offend some people if i call the
wrong name.

anyway, i know this isn't appropriate place to discuss this topic.
thanks

BTW, walsh, your blog is fantastic, i subscribe your blog and
learn a lot from it.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.