Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing ListRE: Compiling for SuSE 7.2
From: Westerman, Mark <Mark.Westerman_at_csoconline.com>
Date: Fri, 5 Oct 2001 12:09:54 -0500
Work ok for me.
Mark
-----Original Message-----
On Fri, 5 Oct 2001, Russell Coker wrote:
> /bin/login is for console logins, telnetd, and I think rshd. sshd doesn't The simplest approach is to obtain the default security context for the user (via the get_default_user_sid function in libsecure) and use it in the appropriate exec*_secure call, and then let the user run newrole if necessary to change roles after login. Also, as with login, the ?dm program should set the security context for the user's terminal device. Mark Westerman experimented with a patch for gdm that is available on his sourceforge selinux project site, but I'm not sure how far he got. Note that some policy customization will be necessary to properly support the use of the ?dm programs. A separate domain should be defined for these programs, and some of their helper programs may also need separate domains to provide least privilege. Longer term, it would be nice to change ?dm and its helper programs to permit users to specify a security context upon login. But this would be more complicated and require a more invasive patch.
> Initially using startx after logging in on the console is easiest. Yes, this is what we recommend if you want to run X. However, please note that you must uncomment some allow rules in the policy/domains/program/xserver.te file to grant the X server the necessary permissions. And note that this is dangerous - X is far too privileged, and needs to be restructured to support least privilege. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Fri 5 Oct 2001 - 13:21:48 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |