Ken YANG wrote: > Stephen Smalley wrote: > >> On Tue, 2007-06-19 at 15:57 +0800, Ken YANG wrote: >> >>> Christopher J. PeBenito wrote: >>> >>>> On Thu, 2007-06-07 at 09:54 -0400, Stephen Smalley wrote: >>>> >>>>> On Thu, 2007-06-07 at 13:47 +0000, Christopher J. PeBenito wrote: >>>>> >>>>>> On Thu, 2007-06-07 at 09:34 -0400, Stephen Smalley wrote: >>>>>> >>>>>>> On Thu, 2007-06-07 at 20:22 +0800, Ken YANG wrote: >>>>>>> >>>>>>>> i studied the point from walsh about non-root X login, >>>>>>>> see details in following thread: >>>>>>>> >>>>>>>> http://marc.info/?l=selinux&m=118050940823692&w=2 >>>>>>>> >>>>>>>> when i login with normal user(user_u), i have some questions: >>>>>>>> (i'm in fc7 with strict-mcs policy at svn version 2301) >>>>>>>> >>>>>>>> 1 >>>>>>>> when i login as user_u, i find i can not switch to staff_u through su, >>>>>>>> but i notice that there is corresponding line in "default_contexts" file: >>>>>>>> >>>>>>> The su / pam_selinux integration was reverted a while ago, so su no >>>>>>> longer changes contexts at all, just like in the original SELinux. >>>>>>> Thus, the SELinux user identity is once again stable for the entire >>>>>>> session, and you have to use newrole to switch roles. And user_r isn't >>>>>>> generally allowed to switch to staff_r; you need to map your Linux user >>>>>>> identity to staff_u via semanage. >>>>>>> >>> sorry for reply so late, i just covered walsh's blog, and >>> reviewed some points about selinux user, but i still had 2 >>> questions: >>> >>> now that su/pam_selinux will not change selinux user id, >>> and user_r cannt switch to staff_r, what is the function >>> of "user_r:user_su_t:s0 staff_r:staff_t:s0..." line in >>> "default_context", and where is it used? >>> >> They are obsolete and can be removed, unless they are just being left >> for compatibility in case someone wants to re-insert pam_selinux >> into /etc/pam.d/su. >> > > thanks, smalley and pebenito. > > BTW, as you know, i am not English-native, and know little about > english culture, so i'm not sure is it appropriate to call your > first name directly? if impolite, please correct me > > First names are fine. > >>> another question is: >>> >>> i declared a user in policy: >>> >>> gen_user(ken, user, user_r, s0, s0) >>> >> Unnecessary - you should be mapping Linux usernames to SELinux users via >> semanage login. The mapping is then stored >> in /etc/selinux/$SELINUXTYPE/seusers. It is not necessary anymore to >> add the Linux usernames to the kernel policy; you can just map them to >> SELinux users already defined in the kernel policy, where those SELinux >> users are generic ways of identifying authorized role sets. >> > > i understand what you mean, originally, i want to validate my guess, > but as you said, it is unnecessary. anyway, thanks > > >>> "ken" is my linux login user, i think if login program find the >>> same SELinux user and linux user identity, it will use the "ken" >>> in the context for the initial shell process, but after i login >>> through tty2, and execute "id -Z", i found my user in context >>> was still user_u, i.e. user_u:user_r:user_t:s0. >>> >>> is there something i missing? >>> >> Yes, seusers. >> >> > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.