SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] From: Tom Anderson <granite217_at_yahoo.com> subject: purpose of the staff_r role? Date: Wed, 29 Sep 2004 18:38:29 -0700 (PDT) This message: [ Message body ] Next message: Colin Walters: "Re: Access to xdm_t" Previous message: Russell Coker: "apol suggestions" Next in thread: Eric Andreychek: "Re: purpose of the staff_r role?" Reply: Eric Andreychek: "Re: purpose of the staff_r role?" Reply: Carsten P. Gehrke: "Re: purpose of the staff_r role?" Reply: Colin Walters: "Re: purpose of the staff_r role?" Maybe reply: Kodungallur Varma: "Re: purpose of the staff_r role?" Maybe reply: Park Lee: "Re: purpose of the staff_r role?" Reply: Wolfgang Pfeiffer: "Re: purpose of the staff_r role?" Can anyone explain the purpose/benefit of having an account under the staff_r role? I thought it was to allow limited administrative functions, but I've discovered that it doesn't even allow reading the logfiles under /var/log/. What purpose does it serve, other than to limit who can transition to sysadm_r? SE Linux appears to be quite powerful, but dear $deity it's confusing. I'd sell my soul for a nice, readable O'Reilly Press title covering this stuff! Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Eric Andreychek <eric_at_openthought.net> subject: Re: purpose of the staff_r role? Date: Thu, 30 Sep 2004 04:09:32 +0000 This message: [ Message body ] Next message: Carsten P. Gehrke: "Re: purpose of the staff_r role?" Previous message: Colin Walters: "Re: Access to xdm_t" In reply to: Tom Anderson: "purpose of the staff_r role?" Next in thread: Carsten P. Gehrke: "Re: purpose of the staff_r role?" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Howdy, On Wed, 29 Sep 2004, Tom Anderson wrote: > SE Linux appears to be quite powerful, but dear $deity it's confusing. From one new SELinux user to another, keep tinkering around with it, it'll start to make sense :-) You're right, it is really powerful. Don't be afraid to get in there and work with the policies (just make a backup, RCS is your friend ;-) Nothing will help you figure it out quicker than building a policy for a daemon without one :-) > I'd sell my soul for a nice, readable O'Reilly Press title covering > this stuff! Well, lucky for you, you might not need to go quite that far ;-) It looks like O'Reilly will be releasing one named "SELinux NSA's Open Source Security Enhanced Linux" by Bill McCarty pretty soon: http://www.oreilly.com/catalog/selinux/index.html The estimated release date is October. I'm looking forward to that myself. Good luck! -Eric -- Eric Andreychek \| Lucy: "What happens if you practice the Eric Conspiracy Secret Labs \| piano for 20 years and then end up not eric@openthought.net \| being rich and famous?" http://openthought.net \| Schroeder: "The joy is in the playing." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBW4b8R5UKaDAjAG4RAhRhAKDgM8GT9BZxRFcHqcBMk7/QMRENyACcDFbu cys8mXtVF8yKvu8VuH0MXJA= =2hWg -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Carsten P. Gehrke <Carsten_at_rollinghorse.com> subject: Re: purpose of the staff_r role? Date: Wed, 29 Sep 2004 21:39:14 -0700 This message: [ Message body ] Next message: Colin Walters: "Re: purpose of the staff_r role?" Previous message: Eric Andreychek: "Re: purpose of the staff_r role?" In reply to: Tom Anderson: "purpose of the staff_r role?" Next in thread: Colin Walters: "Re: purpose of the staff_r role?" At 18:38 29-09-04, Tom Anderson wrote: >Can anyone explain the purpose/benefit of having an account under the >staff_r role? I thought it was to allow limited administrative >functions, but I've discovered that it doesn't even allow reading the >logfiles under /var/log/. What purpose does it serve, other than to >limit who can transition to sysadm_r? > >SE Linux appears to be quite powerful, but dear $deity it's confusing. >I'd sell my soul for a nice, readable O'Reilly Press title covering >this stuff! There is one in the works. I saw a draft copy at LinuxWorld in San Francisco early August. The title is "SELINUX: NSA's Open Source Security Enhanced Linux" and the author is Bill McCarty. Now, do I get your soul or does O'Reilly? -- Rolling Horse Ranch Technical Services Carsten P. Gehrke Custom software solutions using open source technology http://tech.RollingHorse.com/ Carsten@RollingHorse.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Colin Walters <walters_at_verbum.org> subject: Re: purpose of the staff_r role? Date: Thu, 30 Sep 2004 09:17:01 -0400 This message: [ Message body ] Next message: Thomas Bleher: "Re: policy for timidity" Previous message: Carsten P. Gehrke: "Re: purpose of the staff_r role?" In reply to: Tom Anderson: "purpose of the staff_r role?" Next in thread: Tom Anderson: "Re: purpose of the staff_r role?" Reply: Tom Anderson: "Re: purpose of the staff_r role?" On Wed, 2004-09-29 at 18:38 -0700, Tom Anderson wrote: > Can anyone explain the purpose/benefit of having an account under the > staff_r role? I thought it was to allow limited administrative > functions, but I've discovered that it doesn't even allow reading the > logfiles under /var/log/. What purpose does it serve, other than to > limit who can transition to sysadm_r? It's the role that a person who can become sysadm_r should do their daily work in like reading mail, working on source code, etc. The reason is because it basically isn't allowed to interact with user_t at all; for example, staff_t can't read user_tmp_t. This prevents /tmp races from working. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Tom Anderson <granite217_at_yahoo.com> subject: Re: purpose of the staff_r role? Date: Thu, 30 Sep 2004 12:31:53 -0700 (PDT) This message: [ Message body ] Next message: Russell Coker: "Re: Access to xdm_t" Previous message: Luke Kenneth Casson Leighton: "Re: Access to xdm_t" In reply to: Colin Walters: "Re: purpose of the staff_r role?" Next in thread: Russell Coker: "Re: purpose of the staff_r role?" Reply: Russell Coker: "Re: purpose of the staff_r role?" > It's the role that a person who can become sysadm_r should do their > daily work in like reading mail, working on source code, etc. The > reason is because it basically isn't allowed to interact with user_t > at all; for example, staff_t can't read user_tmp_t. This prevents > /tmp races from working. Ah, that makes sense. But I'd like my staff_t user able to read logfiles, without needing to become sysadm_r first ('cuz I can do some real damage inadvertently). Is there a "correct" way to do this? I've tried granting read access to var_log_t, but several daemons have their own logfile types. Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Russell Coker <russell_at_coker.com.au> subject: Re: purpose of the staff_r role? Date: Fri, 1 Oct 2004 06:43:20 +1000 This message: [ Message body ] Next message: Karl MacMillan: "RE: apol suggestions" Previous message: Russell Coker: "Re: Access to xdm_t" In reply to: Tom Anderson: "Re: purpose of the staff_r role?" Next in thread: Tom Anderson: "Re: purpose of the staff_r role?" Reply: Tom Anderson: "Re: purpose of the staff_r role?" On Fri, 1 Oct 2004 05:31, Tom Anderson <granite217@yahoo.com> wrote: > > It's the role that a person who can become sysadm_r should do their > > daily work in like reading mail, working on source code, etc. The > > reason is because it basically isn't allowed to interact with user_t > > at all; for example, staff_t can't read user_tmp_t. This prevents > > /tmp races from working. > > Ah, that makes sense. But I'd like my staff_t user able to read > logfiles, without needing to become sysadm_r first ('cuz I can do some > real damage inadvertently). Is there a "correct" way to do this? I've > tried granting read access to var_log_t, but several daemons have their > own logfile types. r_dir_file(staff_t, logfile) -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Tom Anderson <granite217_at_yahoo.com> subject: Re: purpose of the staff_r role? Date: Fri, 1 Oct 2004 18:10:30 -0700 (PDT) This message: [ Message body ] Next message: Greg Norris: "Re: need advice for ld_so_cache_t errors" Previous message: Russell Coker: "Re: need advice for ld_so_cache_t errors" In reply to: Russell Coker: "Re: purpose of the staff_r role?" Next in thread: Russell Coker: "Re: purpose of the staff_r role?" Reply: Russell Coker: "Re: purpose of the staff_r role?" Russell Coker <russell@coker.com.au> wrote: > r_dir_file(staff_t, logfile) Thank you. Is there a similar trick for seeing the full process information under ps? I see there's a "can_ps" macro, but so far I haven't managed to get the arguments right. Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Russell Coker <russell_at_coker.com.au> subject: Re: purpose of the staff_r role? Date: Sat, 2 Oct 2004 12:43:02 +1000 This message: [ Message body ] Next message: Russell Coker: "Re: need advice for ld_so_cache_t errors" Previous message: Greg Norris: "Re: need advice for ld_so_cache_t errors" In reply to: Tom Anderson: "Re: purpose of the staff_r role?" Next in thread: Tom Anderson: "Re: purpose of the staff_r role?" Reply: Tom Anderson: "Re: purpose of the staff_r role?" On Sat, 2 Oct 2004 11:10, Tom Anderson <granite217@yahoo.com> wrote: > --- Russell Coker <russell@coker.com.au> wrote: > > r_dir_file(staff_t, logfile) > > Thank you. Is there a similar trick for seeing the full process > information under ps? I see there's a "can_ps" macro, but so far I > haven't managed to get the arguments right. can_ps(staff_t, domain) probably does what you want. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Tom Anderson <granite217_at_yahoo.com> subject: Re: purpose of the staff_r role? Date: Fri, 1 Oct 2004 21:41:39 -0700 (PDT) This message: [ Message body ] Next message: Daniel J Walsh: "Re: policy patches" Previous message: Greg Norris: "Re: need advice for ld_so_cache_t errors" In reply to: Russell Coker: "Re: purpose of the staff_r role?" Next in thread: Kodungallur Varma: "Re: purpose of the staff_r role?" Russell Coker <russell@coker.com.au> wrote: > can_ps(staff_t, domain) probably does what you want. That seems to have done it. Thanks! Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Kodungallur Varma <ram25_at_gwu.edu> subject: Re: purpose of the staff_r role? Date: Thu, 30 Sep 2004 18:54:10 -0500 This message: [ Message body ] Next message: Colin Walters: "Re: Access to xdm_t" Previous message: Karl MacMillan: "RE: apol suggestions" Maybe in reply to: Tom Anderson: "purpose of the staff_r role?" Next in thread: Park Lee: "Re: purpose of the staff_r role?" Hi all, I am pretty new to selinux. I was setting up a selinux machine. I installed the OS and I installed the latest packages policy packages with the 'yum' command. I later rebooted with the enforcing=0 option during the boot. I later 'make relabel' ed it. I rebooted the machine again with the enforcing=0 mode and checked the /var/log/messages for avc:access denied messages. there are too many of them and I just dont know how to fix them. any help on this would be excellent. thanx in advance.. Original Message ----- From: Russell Coker <russell@coker.com.au> Date: Thursday, September 30, 2004 3:43 pm Subject: Re: purpose of the staff_r role? > On Fri, 1 Oct 2004 05:31, Tom Anderson <granite217@yahoo.com> wrote: > > > It's the role that a person who can become sysadm_r should do > their> > daily work in like reading mail, working on source code, > etc. The > > > reason is because it basically isn't allowed to interact with > user_t> > at all; for example, staff_t can't read user_tmp_t. > This prevents > > > /tmp races from working. > > > > Ah, that makes sense. But I'd like my staff_t user able to read > > logfiles, without needing to become sysadm_r first ('cuz I can > do some > > real damage inadvertently). Is there a "correct" way to do > this? I've > > tried granting read access to var_log_t, but several daemons > have their > > own logfile types. > > r_dir_file(staff_t, logfile) > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux > packageshttp://www.coker.com.au/bonnie++/ Bonnie++ hard drive > benchmarkhttp://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > > -- > This message was distributed to subscribers of the selinux mailing > list.If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Park Lee <parklee_sel_at_yahoo.com> subject: Re: purpose of the staff_r role? Date: Fri, 1 Oct 2004 02:13:32 -0700 (PDT) This message: [ Message body ] Next message: Luke Kenneth Casson Leighton: "Re: Access to xdm_t" Previous message: Joe Nall: "Re: Representing releasibilities in SELinux" Maybe in reply to: Tom Anderson: "purpose of the staff_r role?" Next in thread: Wolfgang Pfeiffer: "Re: purpose of the staff_r role?" Thu, 30 Sep 2004 18:54 Kodungallur Varma wrote: >I am pretty new to selinux. I was setting up a selinux machine. I >installed the OS and I installed the latest packages policy packages >with the 'yum' command. I later rebooted with the enforcing=0 option >during the boot. I later 'make relabel' ed it. I rebooted the machine >again with the enforcing=0 mode and checked the /var/log/messages >for avc:access denied messages. there are too many of them and I >just dont know how to fix them. any help on this would be excellent. After installed the packages policy packages, You'd better reboot in singleuser mode, and then try 'make relabel'. Hope this helps, Park Lee Do you Yahoo!? vote.yahoo.com - Register online to vote today! -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Wolfgang Pfeiffer <roto_at_gmx.net> subject: Re: purpose of the staff_r role? Date: Sun, 03 Oct 2004 22:26:53 +0200 This message: [ Message body ] Next message: Greg Norris: "Re: need advice for ld_so_cache_t errors" Previous message: Russell Coker: "Re: need advice for ld_so_cache_t errors" In reply to: Tom Anderson: "purpose of the staff_r role?" On Thu, 2004-09-30 at 03:38, Tom Anderson wrote: > Can anyone explain the purpose/benefit of having an account under the > staff_r role? I thought it was to allow limited administrative > functions, but I've discovered that it doesn't even allow reading the > logfiles under /var/log/. What purpose does it serve, other than to > limit who can transition to sysadm_r? > > SE Linux appears to be quite powerful, but dear $deity it's confusing. > I'd sell my soul for a nice, readable O'Reilly Press title covering > this stuff! Some weeks ago when googling about for some docs (that is: Beginner docs) I stumbled over this site: http://www.lurking-grue.org/ For me, a beginner with selinux, the most usable I found so far. [ Thanks, Faye Coker ] HTH Wolfgang -- Wolfgang Pfeiffer gpg ID: 0AA7E825 Profile, links: http://profiles.yahoo.com/wolfgangpfeiffer -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom