1 |
ok so now I get it a bit, anyway selinux is still misconfigured here. |
2 |
I've created a pastebin with my current denials, if could you look at it: |
3 |
http://pastebin.com/uNRcaeUT |
4 |
|
5 |
and semodule -l prints out: |
6 |
------ |
7 |
alsa 1.11.0 |
8 |
application 1.2.0 |
9 |
arpwatch 1.10.0 |
10 |
authlogin 2.3.0 |
11 |
automount 1.13.0 |
12 |
bootloader 1.13.0 |
13 |
cgroup 1.1.0 |
14 |
clock 1.6.0 |
15 |
consolekit 1.8.0 |
16 |
consoletype 1.10.0 |
17 |
courier 1.12.0 |
18 |
cpufreqselector 1.3.0 |
19 |
cron 2.4.0 |
20 |
daemontools 1.2.0 |
21 |
dbus 1.16.0 |
22 |
dhcp 1.9.0 |
23 |
dmesg 1.3.0 |
24 |
dnsmasq 1.9.0 |
25 |
fstools 1.15.0 |
26 |
getty 1.9.0 |
27 |
gnome 2.2.0 |
28 |
gpg 2.5.0 |
29 |
gpm 1.8.0 |
30 |
hostname 1.7.0 |
31 |
hotplug 1.15.0 |
32 |
init 1.18.0 |
33 |
iptables 1.13.0 |
34 |
java 2.5.0 |
35 |
libraries 2.8.0 |
36 |
locallogin 1.11.0 |
37 |
logging 1.18.0 |
38 |
logrotate 1.14.0 |
39 |
lvm 1.13.0 |
40 |
miscfiles 1.9.0 |
41 |
modutils 1.12.0 |
42 |
mono 1.8.0 |
43 |
mount 1.14.0 |
44 |
mozilla 2.5.0 |
45 |
mplayer 2.4.0 |
46 |
mta 2.4.0 |
47 |
netutils 1.11.0 |
48 |
networkmanager 1.14.0 |
49 |
nscd 1.10.0 |
50 |
openvpn 1.11.0 |
51 |
policykit 1.2.0 |
52 |
portage 1.12.0 |
53 |
privoxy 1.11.0 |
54 |
psad 1.0.0 |
55 |
qemu 1.6.0 |
56 |
qmail 1.5.0 |
57 |
raid 1.11.0 |
58 |
rsync 1.11.0 |
59 |
samba 1.14.0 |
60 |
screen 2.5.0 |
61 |
selinuxutil 1.16.0 |
62 |
ssh 2.3.0 |
63 |
staff 2.3.0 |
64 |
storage 1.10.0 |
65 |
su 1.12.0 |
66 |
sudo 1.9.0 |
67 |
sysadm 2.4.0 |
68 |
sysnetwork 1.13.0 |
69 |
thunderbird 2.3.0 |
70 |
tor 1.8.0 |
71 |
ucspitcp 1.3.0 |
72 |
udev 1.14.0 |
73 |
ulogd 1.2.0 |
74 |
unconfined 3.4.0 |
75 |
unprivuser 2.3.0 |
76 |
userdomain 4.7.0 |
77 |
usermanage 1.17.0 |
78 |
virt 1.4.0 |
79 |
wine 1.10.0 |
80 |
wireshark 2.3.0 |
81 |
xdg 1.0.0 |
82 |
xfs 1.6.0 |
83 |
xscreensaver 1.1.0 |
84 |
xserver 3.7.0 |
85 |
------ |
86 |
|
87 |
thanks |
88 |
|
89 |
Ivan |
90 |
|
91 |
On Sun, Jul 22, 2012 at 6:07 PM, Sven Vermeulen <swift@g.o> wrote: |
92 |
|
93 |
> On Sun, Jul 22, 2012 at 01:55:08PM +0200, Ivan Gooten wrote: |
94 |
> [...] |
95 |
> > which results in console for user root context like |
96 |
> > "root:sysadm_r:sysadm_t", |
97 |
> |
98 |
> That's good. |
99 |
> |
100 |
> > whereas in X11 terminal, (after switching from ivan user to root by su -) |
101 |
> > -> "staff_u:staff_r:staff_t". |
102 |
> |
103 |
> That's almost good ;-) |
104 |
> |
105 |
> > I understand that in X11 term I'll have to "newrole -r sysadm_r" for root |
106 |
> > everytime, when I will want to administrate the system? |
107 |
> |
108 |
> Yes, you need to switch roles (first switch roles, then use su(do)) every |
109 |
> time you need to do administrative changes (or queries) on the system. The |
110 |
> staff_r role is for regular operations (user) whereas sysadm_r is for |
111 |
> system |
112 |
> administration. |
113 |
> |
114 |
> > And what about the context's difference between root (root:...) logged |
115 |
> from |
116 |
> > console and root (staff_u:...) logged via x11 terminal - is that wrong? |
117 |
> |
118 |
> No, that's not wrong. If you log on directly as root, then your SELinux |
119 |
> user |
120 |
> (the first part in the context) is "root". If you log on as someone else, |
121 |
> you get that SELinux user (such as "staff_u") which remains throughout your |
122 |
> session (SELinux users don't change, even when you do "su"). |
123 |
> |
124 |
> Wkr, |
125 |
> Sven Vermeulen |
126 |
> |
127 |
> |