SELinux user root

SELinux user root

[Stefan Schulze Frielinghaus]

Like from the RHEL4 manuel (http://www.redhat.com/docs/manuals/ 
enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0038.html)  
the SELinux user root exists only for legacy reasons:

# root is retained as a separate user identity simply as a
# compatibility measure with the "strict" policy.  It could
# be dropped and mapped to user_u but this allows existing
# file contexts that have "root" as the user identity to
# remain valid.

   user root roles { user_r sysadm_r system_r };

But if I try to modify the login context of root to use user_u I get  
the following error:

$ semanage login -m -s user_u root

libsemanage.validate_handler: MLS range s0-s15:c0.c1023 for Unix user  
root exceeds allowed range s0 for SELinux user user_u
libsemanage.validate_handler: seuser mapping [root -> (user_u, s0- 
s15:c0.c1023)] is invalid
libsemanage.dbase_llist_iterate: could not iterate over records
/usr/sbin/semanage: Could not modify login mapping for root

I'm not really sure how to interprete this message. I would guess  
it's because user_u has only a valid MLS range SystemLow and root has  
a SystemLow-SystemHigh range. But why could this be a problem?

The system I'm testing this is a CentOS5 with a MLS policy installed.


cheers,
Stefan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux user root

[Stephen Smalley]

On Sun, 2007-07-08 at 10:35 +0200, Stefan Schulze Frielinghaus wrote:
> Like from the RHEL4 manuel (http://www.redhat.com/docs/manuals/ 
> enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0038.html)  
> the SELinux user root exists only for legacy reasons:
> 
> # root is retained as a separate user identity simply as a
> # compatibility measure with the "strict" policy.  It could
> # be dropped and mapped to user_u but this allows existing
> # file contexts that have "root" as the user identity to
> # remain valid.
> 
>    user root roles { user_r sysadm_r system_r };

That is true under the default targeted policy.  It is not true of
strict policy or mls policy.  The difference is that targeted policy has
no notion of user roles and does not try to control users, only specific
programs/daemons, whereas strict and mls policies include user roles and
limit what users can do.

> But if I try to modify the login context of root to use user_u I get  
> the following error:
> 
> $ semanage login -m -s user_u root
> 
> libsemanage.validate_handler: MLS range s0-s15:c0.c1023 for Unix user  
> root exceeds allowed range s0 for SELinux user user_u
> libsemanage.validate_handler: seuser mapping [root -> (user_u, s0- 
> s15:c0.c1023)] is invalid
> libsemanage.dbase_llist_iterate: could not iterate over records
> /usr/sbin/semanage: Could not modify login mapping for root
> 
> I'm not really sure how to interprete this message. I would guess  
> it's because user_u has only a valid MLS range SystemLow and root has  
> a SystemLow-SystemHigh range. But why could this be a problem?

Because, as you said, user_u isn't authorized for that range.  The Linux
user is limited by the permissions of the SELinux user to which he is
mapped.

Also, the above semanage command would not actually remove the "root"
SELinux user from the kernel policy; it would only remove the mapping
from the seusers file.  The seusers file was introduced as a way to
allow Linux users to be added/modified/removed without needing to change
the kernel policy each time, by letting you map each Linux user to one
of the predefined SELinux users.

It would make more sense to map "root" to "staff_u" than to "user_u".
But you aren't achieving much by doing so, you still need "root" in the
kernel policy for compatibility with your on-disk file contexts.

> The system I'm testing this is a CentOS5 with a MLS policy installed.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux user root

[Stefan Schulze Frielinghaus]

On 09.07.2007, at 20:07, Stephen Smalley wrote:

>> But if I try to modify the login context of root to use user_u I get
>> the following error:
>>
>> $ semanage login -m -s user_u root
>>
>> libsemanage.validate_handler: MLS range s0-s15:c0.c1023 for Unix user
>> root exceeds allowed range s0 for SELinux user user_u
>> libsemanage.validate_handler: seuser mapping [root -> (user_u, s0-
>> s15:c0.c1023)] is invalid
>> libsemanage.dbase_llist_iterate: could not iterate over records
>> /usr/sbin/semanage: Could not modify login mapping for root
>>
>> I'm not really sure how to interprete this message. I would guess
>> it's because user_u has only a valid MLS range SystemLow and root has
>> a SystemLow-SystemHigh range. But why could this be a problem?
>
> Because, as you said, user_u isn't authorized for that range.  The  
> Linux
> user is limited by the permissions of the SELinux user to which he is
> mapped.
>
> Also, the above semanage command would not actually remove the "root"
> SELinux user from the kernel policy; it would only remove the mapping
> from the seusers file.  The seusers file was introduced as a way to
> allow Linux users to be added/modified/removed without needing to  
> change
> the kernel policy each time, by letting you map each Linux user to one
> of the predefined SELinux users.
>
> It would make more sense to map "root" to "staff_u" than to "user_u".
> But you aren't achieving much by doing so, you still need "root" in  
> the
> kernel policy for compatibility with your on-disk file contexts.

But how to limit the linux user root to not switch to sysadm_r? I  
would change his SELinux user to user_u (but that's not working like  
we pointed out). Or would you change the SELinux user root to not  
include the sysadm_r role?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux user root

[Ken YANG]

Stefan Schulze Frielinghaus wrote:
> 
> On 09.07.2007, at 20:07, Stephen Smalley wrote:
> 
>>> But if I try to modify the login context of root to use user_u I get
>>> the following error:
>>>
>>> $ semanage login -m -s user_u root
>>>
>>> libsemanage.validate_handler: MLS range s0-s15:c0.c1023 for Unix user
>>> root exceeds allowed range s0 for SELinux user user_u
>>> libsemanage.validate_handler: seuser mapping [root -> (user_u, s0-
>>> s15:c0.c1023)] is invalid
>>> libsemanage.dbase_llist_iterate: could not iterate over records
>>> /usr/sbin/semanage: Could not modify login mapping for root
>>>
>>> I'm not really sure how to interprete this message. I would guess
>>> it's because user_u has only a valid MLS range SystemLow and root has
>>> a SystemLow-SystemHigh range. But why could this be a problem?
>>
>> Because, as you said, user_u isn't authorized for that range.  The Linux
>> user is limited by the permissions of the SELinux user to which he is
>> mapped.
>>
>> Also, the above semanage command would not actually remove the "root"
>> SELinux user from the kernel policy; it would only remove the mapping
>> from the seusers file.  The seusers file was introduced as a way to
>> allow Linux users to be added/modified/removed without needing to change
>> the kernel policy each time, by letting you map each Linux user to one
>> of the predefined SELinux users.
>>
>> It would make more sense to map "root" to "staff_u" than to "user_u".
>> But you aren't achieving much by doing so, you still need "root" in the
>> kernel policy for compatibility with your on-disk file contexts.
> 
> But how to limit the linux user root to not switch to sysadm_r? I would
> change his SELinux user to user_u (but that's not working like we
> pointed out). Or would you change the SELinux user root to not include
> the sysadm_r role?

IMHO, you can use semanage to make "root" not have sysadm_r mapping

> 
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux user root

[Stephen Smalley]

On Tue, 2007-07-10 at 10:17 +0200, Stefan Schulze Frielinghaus wrote:
> On 09.07.2007, at 20:07, Stephen Smalley wrote:
> 
> >> But if I try to modify the login context of root to use user_u I get
> >> the following error:
> >>
> >> $ semanage login -m -s user_u root
> >>
> >> libsemanage.validate_handler: MLS range s0-s15:c0.c1023 for Unix user
> >> root exceeds allowed range s0 for SELinux user user_u
> >> libsemanage.validate_handler: seuser mapping [root -> (user_u, s0-
> >> s15:c0.c1023)] is invalid
> >> libsemanage.dbase_llist_iterate: could not iterate over records
> >> /usr/sbin/semanage: Could not modify login mapping for root
> >>
> >> I'm not really sure how to interprete this message. I would guess
> >> it's because user_u has only a valid MLS range SystemLow and root has
> >> a SystemLow-SystemHigh range. But why could this be a problem?
> >
> > Because, as you said, user_u isn't authorized for that range.  The  
> > Linux
> > user is limited by the permissions of the SELinux user to which he is
> > mapped.
> >
> > Also, the above semanage command would not actually remove the "root"
> > SELinux user from the kernel policy; it would only remove the mapping
> > from the seusers file.  The seusers file was introduced as a way to
> > allow Linux users to be added/modified/removed without needing to  
> > change
> > the kernel policy each time, by letting you map each Linux user to one
> > of the predefined SELinux users.
> >
> > It would make more sense to map "root" to "staff_u" than to "user_u".
> > But you aren't achieving much by doing so, you still need "root" in  
> > the
> > kernel policy for compatibility with your on-disk file contexts.
> 
> But how to limit the linux user root to not switch to sysadm_r? I  
> would change his SELinux user to user_u (but that's not working like  
> we pointed out). Or would you change the SELinux user root to not  
> include the sysadm_r role?

You could change the mapping for Linux user "root" by changing both his
SELinux user and his range, e.g.:
	semanage login -m -s user_u -r s0 root

Or you could change the authorizations for SELinux user "root", e.g.:
	semanage user -m -R user_r root

The former is likely safer (fewer side effects, only affects login, not
already running processes).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux user root

[Stefan Schulze Frielinghaus]

On 10.07.2007, at 15:10, Stephen Smalley wrote:

> On Tue, 2007-07-10 at 10:17 +0200, Stefan Schulze Frielinghaus wrote:
>> On 09.07.2007, at 20:07, Stephen Smalley wrote:
>>
>>>> But if I try to modify the login context of root to use user_u I  
>>>> get
>>>> the following error:
>>>>
>>>> $ semanage login -m -s user_u root
>>>>
>>>> libsemanage.validate_handler: MLS range s0-s15:c0.c1023 for Unix  
>>>> user
>>>> root exceeds allowed range s0 for SELinux user user_u
>>>> libsemanage.validate_handler: seuser mapping [root -> (user_u, s0-
>>>> s15:c0.c1023)] is invalid
>>>> libsemanage.dbase_llist_iterate: could not iterate over records
>>>> /usr/sbin/semanage: Could not modify login mapping for root
>>>>
>>>> I'm not really sure how to interprete this message. I would guess
>>>> it's because user_u has only a valid MLS range SystemLow and  
>>>> root has
>>>> a SystemLow-SystemHigh range. But why could this be a problem?
>>>
>>> Because, as you said, user_u isn't authorized for that range.  The
>>> Linux
>>> user is limited by the permissions of the SELinux user to which  
>>> he is
>>> mapped.
>>>
>>> Also, the above semanage command would not actually remove the  
>>> "root"
>>> SELinux user from the kernel policy; it would only remove the  
>>> mapping
>>> from the seusers file.  The seusers file was introduced as a way to
>>> allow Linux users to be added/modified/removed without needing to
>>> change
>>> the kernel policy each time, by letting you map each Linux user  
>>> to one
>>> of the predefined SELinux users.
>>>
>>> It would make more sense to map "root" to "staff_u" than to  
>>> "user_u".
>>> But you aren't achieving much by doing so, you still need "root" in
>>> the
>>> kernel policy for compatibility with your on-disk file contexts.
>>
>> But how to limit the linux user root to not switch to sysadm_r? I
>> would change his SELinux user to user_u (but that's not working like
>> we pointed out). Or would you change the SELinux user root to not
>> include the sysadm_r role?
>
> You could change the mapping for Linux user "root" by changing both  
> his
> SELinux user and his range, e.g.:
> 	semanage login -m -s user_u -r s0 root
>
> Or you could change the authorizations for SELinux user "root", e.g.:
> 	semanage user -m -R user_r root
>
> The former is likely safer (fewer side effects, only affects login,  
> not
> already running processes).

Yeah the first one runs fine for me.

Thanks!

-Stefan



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.