Re: This patch add seusers support to SELinux

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Joshua Brindle <method@manicmethod.com>
Cc: SE Linux <selinux@tycho.nsa.gov>,
	Chad Sellers <csellers@tresys.com>,
	Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: This patch add seusers support to SELinux
Date: Fri, 19 Jun 2009 14:30:28 -0400	[thread overview]
Message-ID: <4A3BD944.7090608@redhat.com> (raw)
In-Reply-To: <4A3BD88E.5010103@manicmethod.com>

On 06/19/2009 02:27 PM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> On 06/19/2009 02:13 PM, Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> On 06/19/2009 11:08 AM, Joshua Brindle wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> On 06/18/2009 04:14 PM, Joshua Brindle wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> On 06/18/2009 09:48 AM, Joshua Brindle wrote:
>>>>>>>>> Joshua Brindle wrote:
>>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>>> The idea here is to break the seusers file up into lots of
>>>>>>>>>>> little
>>>>>>>>>>> seusers file that can be user specific, also adds the service
>>>>>>>>>>> field to
>>>>>>>>>>> be used by tools like pam_selinux to choose which is the correct
>>>>>>>>>>> context
>>>>>>>>>>> to log a user in as.
>>>>>>>>>>>
>>>>>>>>>>> Patch was added to facilitate IPA handing out SELinux content
>>>>>>>>>>> for
>>>>>>>>>>> selection of roles at login.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This patch does not affect the behavior of getseuserbyname(),
>>>>>>>>>> how is
>>>>>>>>>> this expected to work with existing applications?
>>>>>>>>>>
>>>>>>>> I think it only affects pam_selinux.
>>>>>>>
>>>>>>> The function name is very confusing if its only used for
>>>>>>> pam_selinux,
>>>>>>> I'd like it renamed but seeing that pam_selinux is already deployed
>>>>>>> with
>>>>>>> it I suppose that isn't an option.
>>>>>>>
>>>>>>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>>>>>>
>>>>>>>>>
>>>>>>>>> Also, what is the format of this file? What should service be to
>>>>>>>>> test
>>>>>>>>> this on F11?
>>>>>>>>>
>>>>>> It is not only for pam_selinux, but that is currently the only user.
>>>>>>
>>>>>> Really all this function does is add a second variable when
>>>>>> selecting a
>>>>>> users default context. service is just a string that the caller can
>>>>>> specify. It just allows you to change the default context you would
>>>>>> get
>>>>>> on entry to the system. So I guess you could get use similar calls to
>>>>>> get different context depending on whether or not you are on the
>>>>>> console. Imagine a dbus service which would run with one context if
>>>>>> you
>>>>>> we logged onto the console versus a different context if you were
>>>>>> logged
>>>>>> in via ssh.
>>>>>>
>>>>>
>>>>> On looking at this further, I don't like the format of the file
>>>>> either,
>>>>> why did you choose to make it use colons and not tolerate spaces?
>>>>> First
>>>>> when I tried root: staff_u: s0 it logged me in as system_u and then
>>>>> when
>>>>> I tried root:staff_u:s0 I got logged in correctly. This is a little
>>>>> fragile to expect editing by users and getting unexpectedly logged
>>>>> in as
>>>>> system_u.
>>>>>
>>>>> --
>>>> The : separated list matches seusers and /etc/passwd so I think it
>>>> makes
>>>> sense. THe file should require all three fields, that is a bug.
>>>>
>>>
>>> Ok, This is also yet-another-way to map users in SELinux, and its
>>> different from everything else. We use contexts to map other services to
>>> users ala contexts/default_contexts and contexts/users/*. Why should
>>> this be any different? If there are multiple sshd's running, eg., on a
>>> high nic and low nic then they'd need to map contexts via context rather
>>> than "service" name.
>>>
>>> I still haven't figured out what this is solving.
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>> I want to say that on these 50 machines dwalsh logs in via ssh as
>> guest_t:SystemLow
>>
>> If he logs in via the console he logs in as staff_t:SystemLow-SystemHigh
>>
>> Now distribute this out to hundreds of thousands of machines.
>>
>
> How is this different from distributing the contexts/users/dwalsh file?
>
> [root@localhost contexts]# cat users/dwalsh
> system_r:local_login_t:s0 staff_r:staff_t:s0
> system_r:sshd_t:s0 guest_r:guest_t:s0
>
>
That is an SELinux users file not a UID users file

The dwalsh user does not exist.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2009-06-19 18:30 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-05-18 18:20 This patch add seusers support to SELinux Daniel J Walsh
2009-06-18 13:38 ` Joshua Brindle
2009-06-18 13:48   ` Joshua Brindle
2009-06-18 19:37     ` Daniel J Walsh
2009-06-18 19:38     ` Daniel J Walsh
2009-06-18 20:14       ` Joshua Brindle
2009-06-19  9:57         ` Daniel J Walsh
2009-06-19 15:08           ` Joshua Brindle
2009-06-19 15:21             ` Daniel J Walsh
2009-06-19 18:13               ` Joshua Brindle
2009-06-19 18:24                 ` Daniel J Walsh
2009-06-19 18:27                   ` Joshua Brindle
2009-06-19 18:30                     ` Daniel J Walsh [this message]
2009-06-19 18:31                       ` Joshua Brindle
2009-06-19 18:39                         ` Daniel J Walsh
2009-06-19 18:29                 ` Daniel J Walsh
2009-06-19 19:30                   ` Chris PeBenito
2009-06-19 19:51                     ` Daniel J Walsh
2009-06-19 20:09                       ` Chris PeBenito
2009-06-22 15:10                         ` Joshua Brindle
2009-06-24 21:10                         ` Joshua Brindle
2009-06-25 12:31                           ` Stephen Smalley
2009-06-30 15:18               ` Joshua Brindle
2009-07-01 12:44                 ` Daniel J Walsh
2009-07-07 15:50                   ` Joshua Brindle
2009-07-07 16:05                     ` Joshua Brindle
2009-07-07 16:28                       ` Daniel J Walsh
2009-07-07 17:16                         ` Joshua Brindle
2009-07-07 17:27                           ` Daniel J Walsh
2009-07-08 14:05                             ` Joshua Brindle

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A3BD944.7090608@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=csellers@tresys.com \
    --cc=method@manicmethod.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.