On Sat, 5 Jan 2002, Shaun Savage wrote:

> during login with selinux, the question "do you want to change context"
> is asked. My feeling is that this creates complexity problem. I have
> changed get_user_sid() to get_default_user_sid(). This does not confuse
> "the user" also, if someone does get root this adds one more fence.

It seems like you are moving in the wrong direction here. Even if a user specifies a security context to login, he is still limited by the kernel to the set of authorized roles and domains that are legal for the user (policy/users and policy/rbac) and that are reachable from the login process (i.e. there must be a domain_auto_trans rule or a domain_trans rule in login.te). So there is no real risk in permitting the user to specify a security context at login time.

Even if you remove this support, a user can still change roles later via newrole. I doubt that you want to remove that program and domain.

With regard to root, keep in mind a couple of points:

1. The SELinux user identity is separate from the Linux uids and can only be set by certain trusted domains/programs. The limitations on the SELinux role and domain are based on the SELinux user identity, not the Linux uids, so simply becoming the Unix superuser (e.g. by penetrating a superuser daemon or by exploiting a flaw in a setuid program) does not change your set of authorized roles or domains. You have to actually authenticate yourself as root to one of the trusted domains/programs.
2. You don't necessarily have to grant the "root" user access to the sysadm_r role. You can limit root to user_r in policy/users and only grant sysadm_r to particular users. That's up to you.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.