1 |
Ah of course! |
2 |
Does this mean that I must always |
3 |
|
4 |
newrole -r sysadm_r -t sysadm_t |
5 |
|
6 |
before emerging any selinux-* ebuild, since that touches policies?? |
7 |
|
8 |
|
9 |
I log in as root and the id command says i'm in context |
10 |
root:system_r:unconfined_t |
11 |
|
12 |
So I think more than just my daemon policies are buggered. Yup, a |
13 |
remerge world is just what it needs.. |
14 |
|
15 |
--John |
16 |
|
17 |
|
18 |
Mike Edenfield wrote: |
19 |
> John Huttley wrote: |
20 |
> |
21 |
>> I would figure that if I logged in as root, I could stay in the |
22 |
>> sysadm_r and change between sysadm_t and staff_t |
23 |
> |
24 |
>> If a role is a set of permitted types, why should I have to change my |
25 |
>> role???? |
26 |
> |
27 |
> By default, when you log in as root, you don't get assigned the |
28 |
> sysadm_r role. You're put into staff_r instead. This role is |
29 |
> permitted to transition to the types you need for routine system |
30 |
> management -- log files and such. But there's a lot that staff_r |
31 |
> doesn't have access to. For example, changing the SELinux policy |
32 |
> itself :) |
33 |
> |
34 |
> Similar to how standard best practices would have you log in as a |
35 |
> non-root user, and sudo when you need root access, SELinux best |
36 |
> practices says that you log into staff_r, and only change to the |
37 |
> sysadm_r role when needed, and only for as long as necessary. |
38 |
> |
39 |
-- |
40 |
gentoo-hardened@g.o mailing list |