Christopher J. PeBenito wrote: > On Thu, 2007-06-07 at 09:54 -0400, Stephen Smalley wrote: >> On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote: >>> On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote: >>>> On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote: >>>>> i studied the point from walsh about non-root X login, >>>>> see details in following thread: >>>>> >>>>> http://marc.info/?l=selinux&m=118050940823692&w=2 >>>>> >>>>> when i login with normal user(user_u), i have some questions: >>>>> (i'm in fc7 with strict-mcs policy at svn version 2301) >>>>> >>>>> 1 >>>>> when i login as user_u, i find i can not switch to staff_u through su, >>>>> but i notice that there is corresponding line in "default_contexts" file: >>>> The su / pam_selinux integration was reverted a while ago, so su no >>>> longer changes contexts at all, just like in the original SELinux. >>>> Thus, the SELinux user identity is once again stable for the entire >>>> session, and you have to use newrole to switch roles. And user_r isn't >>>> generally allowed to switch to staff_r; you need to map your Linux user >>>> identity to staff_u via semanage. sorry for reply so late, i just covered walsh's blog, and reviewed some points about selinux user, but i still had 2 questions: now that su/pam_selinux will not change selinux user id, and user_r cannt switch to staff_r, what is the function of "user_r:user_su_t:s0 staff_r:staff_t:s0..." line in "default_context", and where is it used? another question is: i declared a user in policy: gen_user(ken, user, user_r, s0, s0) "ken" is my linux login user, i think if login program find the same SELinux user and linux user identity, it will use the "ken" in the context for the initial shell process, but after i login through tty2, and execute "id -Z", i found my user in context was still user_u, i.e. user_u:user_r:user_t:s0. is there something i missing? >>>> >>>>> user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 >>>>> sysadm_r:sysadm_t:s0 >>>>> >>>>> and in the policy, i found the condition of su domain transition have >>>>> satisfied, including su_exec_t entrypoint and type_transition rules, >>>>> furthermore, i also meet the constrain conditon in >>>>> su_per_role_template(), e.g. domain_role_change_exemption($1_su_t), >>>>> domain_subj_id_change_exemption($1_su_t), >>>>> domain_obj_id_change_exemption($1_su_t), and etc. >>>> Hmm...seems like those should be removed from policy (unless some distro >>>> tunable is set for older fedora or rhel4), as su should no longer be >>>> making such transitions. >>> Its in a rhel4 build option. >> Hmmm...so why is it still showing up in F7 strict policy? > > He's just looking at the su.if header (hence the $1_su_t references), > which is just copied out of the refpolicy sources as is. So its in the > headers, but shouldn't be in the actual policy. sorry for omitting this point, i deliberately include these calls for testing, which will not be in the actual policy. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.