Re: user guide draft: "Confined and Unconfined User Domains" review

[Murray McAllister <mmcallis@redhat.com>]

James Morris wrote:
> On Tue, 9 Sep 2008, Murray McAllister wrote:
> 
>> Each Linux user account is mapped to an SELinux user identity when a user
>> login session is created, and the mapped SELinux user identity is used in the
>> security context for processes in that session.
> 
> This is a long sentence which I suspect general users would not easily 
> understand.  Perhaps break it into two sentences, with the second as:
> 
> "The SELinux user identity is indicated in the user's process security 
> context for that session."

Would the following be enough:

Each Linux user account is mapped to an SELinux user identity via 
SELinux policy. By default, on Fedora 10, Linux users are mapped to the 
SELinux unconfined_u user. This is seen by running the 
/usr/sbin/semanage login -l command:

> 
> Do you have a diagram breaking down the security context?  You could refer 
> to it here.

No. I will try to organize one. Is there anything specific that should 
be on it?

> 
>> By default, on Fedora 10,
>> Linux users are mapped to the SELinux unconfined_u user. This is seen by
>> running the id -Z and /usr/sbin/semanage login -l commands:
>>
>> # id -Z
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> 
> This command will have different outputs depending on how the user is 
> logged in, and there are seemingly (to the reader) two different ways to 
> see the SELinux user mapping (a new concept to them at this point).
> 
> I suggest breaking it up so you first show the mapping via semanage, then 
> show the output of 'id -Z' for one of the Unix logins, also perhaps 
> explaining the flow:
> 
> - Linux users are mapped to SELinux users via policy
> 
> - user commences login
> - pam_selinux maps the user and sets up the resulting security context
> - user shell is launched in that context

Would an example of adding a user (useradd newuser), logging in as 
newuser, then running "id -Z" help?

> 
>> # /usr/sbin/semanage login -l
>>
>> Login Name                SELinux User              MLS/MCS Range
>>
>> __default__               unconfined_u              s0-s0:c0.c1023
>> root                      unconfined_u              s0-s0:c0.c1023
>> system_u                  system_u                  s0-s0:c0.c1023
>>
>> The first row, __default__, defines that any new Linux users created that are
>> not specifically mapped to an SELinux user, are mapped to the SELinux
>> unconfined_u user. For a description of each column, refer to Chapter 3,
>> SELinux Contexts.
> 
> I think you need to refer to a concrete example with the current text.

An example of what a user sees (see above, adding newuser), or 
explaining what each field is?

> 
>> Unconfined Linux users are subject to executable and
>> writeable memory checks, and are also restricted by MCS (and MLS, if the MLS
>> policy is used). If they execute an object that the SELinux policy defines can
> 
> Why introduce unfamiliar terminology like "execute an object" ?  People 
> execute applications.

I have removed these and replaced "subjects" with "processes", "execute 
object" with "execute application", and so on.

> 
>> transition from the unconfined_t domain to its own confined domain, the
>> unconfined Linux users are still subject to the restrictions of that confined
>> domain.
> 
> Perhaps important to (re)state the security benefit of this, in that 
> an unconfined user cannot override the security policy for a confined 
> application just because they themselves are unconfined.

Sounds good. Thank you.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.