using roles with mls policy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andy Warner <warner@rubix.com>
To: selinux@tycho.nsa.gov
Subject: using roles with mls policy
Date: Wed, 05 Nov 2008 16:33:13 +0100	[thread overview]
Message-ID: <4911BCB9.1060407@rubix.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 1334 bytes --]

I am using Fedora 9 with the MLS policy. I have been using it in 
permissive mode for a while (integrating SELinux with a DBMS and its 
objects) and now must do some work/testing in enforcing mode. As soon as 
I switch to enforcing mode I seem unable to perform any action which 
requires privilege.

What is the anticipated method to shutdown/reboot the system and to 
toggle the enforcing mode while in MLS/Enforcing? What I assumed was to 
transition to an appropriate role (sysadm_r and secadm_r respectively) 
and then issue the corresponding command (shutdown and setenforce). This 
fails and I believe my difficulty is that in both cases I need to also 
be the linux root user. There does not seem to be an obvious way to 
execute a command as the lunux root user as neither su nor sudo seem 
available while in the sysadm_r and secadm_r roles. Executing something 
like seaudit while in the auditadm_r role fails to allow me to 
authenticate as root. Despite being the correct password it continuously 
loops asking for the password.

As a related but less important question, in general, is it intended 
that a user initially have the staff_r role upon login and then 
transition to a more trusted role (i.e., secadm_r) using the newrole 
command? (as opposed to having the secadm_r upon login.

Thanks for any help,

Andy

[-- Attachment #2: Type: text/html, Size: 1532 bytes --]

next             reply	other threads:[~2008-11-05 15:33 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-11-05 15:33 Andy Warner [this message]
2008-11-05 16:18 ` using roles with mls policy Justin Mattock
2008-11-05 17:52   ` Andy Warner
2008-11-05 18:22     ` Andy Warner
2008-11-05 19:28       ` Justin P. Mattock
2008-11-05 20:11       ` Daniel J Walsh
2008-11-05 22:53         ` Justin Mattock

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4911BCB9.1060407@rubix.com \
    --to=warner@rubix.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.