Re: three problems about normal user login in strict policy

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 3571 bytes --]

Ken YANG wrote:
> Stephen Smalley wrote:
>   
>> On Tue, 2007-06-19 at 15:57 +0800, Ken YANG wrote:
>>     
>>> Christopher J. PeBenito wrote:
>>>       
>>>> On Thu, 2007-06-07 at 09:54 -0400, Stephen Smalley wrote:
>>>>         
>>>>> On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote:
>>>>>           
>>>>>> On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote:
>>>>>>             
>>>>>>> On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote:
>>>>>>>               
>>>>>>>> i studied the point from walsh about non-root X login,
>>>>>>>> see details in following thread:
>>>>>>>>
>>>>>>>> http://marc.info/?l=selinux&m=118050940823692&w=2
>>>>>>>>
>>>>>>>> when i login with normal user(user_u), i have some questions:
>>>>>>>> (i'm in fc7 with strict-mcs policy at svn version 2301)
>>>>>>>>
>>>>>>>> 1
>>>>>>>> when i login as user_u, i find i can not switch to staff_u through su,
>>>>>>>> but i notice that there is corresponding line in "default_contexts" file:
>>>>>>>>                 
>>>>>>> The su / pam_selinux integration was reverted a while ago, so su no
>>>>>>> longer changes contexts at all, just like in the original SELinux.  
>>>>>>> Thus, the SELinux user identity is once again stable for the entire
>>>>>>> session, and you have to use newrole to switch roles.  And user_r isn't
>>>>>>> generally allowed to switch to staff_r; you need to map your Linux user
>>>>>>> identity to staff_u via semanage.
>>>>>>>               
>>> sorry for reply so late, i just covered walsh's blog, and
>>> reviewed some points about selinux user, but i still had 2
>>> questions:
>>>
>>> now that su/pam_selinux will not change selinux user id,
>>> and user_r cannt switch to staff_r, what is the function
>>> of "user_r:user_su_t:s0 staff_r:staff_t:s0..." line in
>>> "default_context", and where is it used?
>>>       
>> They are obsolete and can be removed, unless they are just being left
>> for compatibility in case someone wants to re-insert pam_selinux
>> into /etc/pam.d/su.
>>     
>
> thanks, smalley and pebenito.
>
> BTW, as you know, i am not English-native, and know little about
> english culture, so i'm not sure is it appropriate to call your
> first name directly? if impolite, please correct me
>
>   
First names are fine.
>   
>>> another question is:
>>>
>>> i declared a user in policy:
>>>
>>> gen_user(ken, user, user_r, s0, s0)
>>>       
>> Unnecessary - you should be mapping Linux usernames to SELinux users via
>> semanage login.  The mapping is then stored
>> in /etc/selinux/$SELINUXTYPE/seusers.  It is not necessary anymore to
>> add the Linux usernames to the kernel policy; you can just map them to
>> SELinux users already defined in the kernel policy, where those SELinux
>> users are generic ways of identifying authorized role sets.
>>     
>
> i understand what you mean, originally, i want to validate my guess,
> but as you said, it is unnecessary. anyway, thanks
>
>   
>>> "ken" is my linux login user, i think if login program find the
>>> same SELinux user and linux user identity, it will use the "ken"
>>> in the context for the initial shell process, but after i login
>>> through tty2, and execute "id -Z", i found my user in context
>>> was still user_u, i.e. user_u:user_r:user_t:s0.
>>>
>>> is there something i missing?
>>>       
>> Yes, seusers.
>>
>>     
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.