From: Daniel J Walsh <dwalsh@redhat.com>
To: Jeremiah Jahn <jeremiah@goodinassociates.com>
Cc: selinux <selinux@tycho.nsa.gov>
Subject: Re: default user roles
Date: Fri, 22 Feb 2008 14:07:40 -0500 [thread overview]
Message-ID: <47BF1D7C.4060207@redhat.com> (raw)
In-Reply-To: <1203704148.3669.953.camel@bluejay.goodinassociates.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeremiah Jahn wrote:
> I can't seem to get the login to set the proper initial role for a user.
> Every time I login, I end up as auditadm, and not secstaff.
>
> I have the following in my policy:
>
> userdom_unpriv_user_template(secstaff)
> userdom_role_change_template(secstaff, secadm)
> userdom_role_change_template(secstaff, auditadm)
> allow secstaff_t devlog_t:sock_file write;
> allow secstaff_t newrole_t:process { siginh noatsecure rlimitinh };
> allow secstaff_t syslogd_t:unix_dgram_socket sendto;
> allow secstaff_t unconfined_tmp_t:dir { write search rmdir remove_name create getattr add_name };
> allow secstaff_t user_home_dir_t:dir { read getattr search };
> userdom_manage_generic_user_home_content_files(secstaff_t)
> userdom_read_generic_user_home_content_files(secstaff_t)
>
> ############################################################
> # Set default role for sec staff <-- not quite :)
> #
> role secstaff_r types secstaff_t;
>
> ############################################################
> # define roles the secstaff can transition to
> #
> user secstaff_u roles { secstaff_r secadm_r auditadm_r } level s0 range s0 - s0;
>
>
>
>
>
> In the olden days in England, you could be hung for stealing a sheep or
> a loaf of bread. However, if a sheep stole a loaf of bread and gave it
> to you, you would only be tried for receiving, a crime punishable by
> forty lashes with the cat or the dog, whichever was handy. If you stole
> a dog and were caught, you were punished with twelve rabbit punches,
> although it was hard to find rabbits big enough or strong enough to
> punch you. -- Mike Harding, "The Armchair Anarchist's Almanac"
You probably need a
/etc/selinux/TYPE/contexts/users/secstaff_u
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAke/HXwACgkQrlYvE4MpobOX5ACeO5fHUGU3f4xqttOd/YktKDTG
eVMAn2XUtWC6zeLZEkybzGMUQqIDUZkA
=6Hjz
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2008-02-22 19:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-22 18:15 default user roles Jeremiah Jahn
2008-02-22 18:55 ` Stephen Smalley
2008-02-22 19:01 ` Christopher J. PeBenito
2008-02-22 19:09 ` Jeremiah Jahn
2008-02-22 19:38 ` Christopher J. PeBenito
2008-02-22 19:07 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47BF1D7C.4060207@redhat.com \
--to=dwalsh@redhat.com \
--cc=jeremiah@goodinassociates.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.