Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: using roles with mls policy
From: Andy Warner <warner_at_rubix.com>
Date: Wed, 05 Nov 2008 18:52:15 +0100
Justin Mattock wrote:
[staff@oak ~]$ id -Z
As can be seen I can transition to the secadm_r without an issue. And, from the DAC modes of /selinux/enforce I would guess it requires linux root to be written. Also, I thought I read elsewhere that the secadm_r was configured so that it could not perform an su/sudo. Likewise, if I try to execute system-config-selinux as the secadm_r role, I am not permitted to authenticate as linux root user so I am not able to do anything. If selinux is in permissive mode everything works, as long as I su/sudo to root first. I have similar issues with the auditadm_r role. As for my previously mentioned issue with using sysadm_r to issue a shutdown command while in enforcing mode, I was mistaken and this is possible using sudo (not sure what I was thinking). It seems no MLS roles can use su, only staff_r and sysadm_r may use sudo. auditadm_r and secadm_r cannot use either and seem powerless without it. I am also unable to directly log in as root when in enforcing mode. Note that I am using the roles as they are configured in the MLS policy. If it is required to change or configure the roles to make them able do what it seems like they should be able to do, thats ok, but first I need to make sure I'm not just being boneheaded and using them in the wrong way or have bad expectations of what they should be able to do. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 5 Nov 2008 - 12:52:31 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |