1 |
On Tue, 2007-07-31 at 15:30 +1200, John Huttley wrote: |
2 |
> Ah of course! |
3 |
> Does this mean that I must always |
4 |
> |
5 |
> newrole -r sysadm_r -t sysadm_t |
6 |
> |
7 |
> before emerging any selinux-* ebuild, since that touches policies?? |
8 |
|
9 |
With a strict policy, you need to newrole to do most admin functions. |
10 |
You will not be able to run portage in staff_r. Also you don't need to |
11 |
specify the type as sysadm_t is already the default type. |
12 |
|
13 |
> I log in as root and the id command says i'm in context |
14 |
> root:system_r:unconfined_t |
15 |
|
16 |
This means you are using the targeted policy, in which case there is |
17 |
only one role, so you don't newrole. The docs need to be updated on |
18 |
this fact. |
19 |
|
20 |
> Mike Edenfield wrote: |
21 |
> > John Huttley wrote: |
22 |
> > |
23 |
> >> I would figure that if I logged in as root, I could stay in the |
24 |
> >> sysadm_r and change between sysadm_t and staff_t |
25 |
> > |
26 |
> >> If a role is a set of permitted types, why should I have to change my |
27 |
> >> role???? |
28 |
> > |
29 |
> > By default, when you log in as root, you don't get assigned the |
30 |
> > sysadm_r role. You're put into staff_r instead. This role is |
31 |
> > permitted to transition to the types you need for routine system |
32 |
> > management -- log files and such. But there's a lot that staff_r |
33 |
> > doesn't have access to. For example, changing the SELinux policy |
34 |
> > itself :) |
35 |
> > |
36 |
> > Similar to how standard best practices would have you log in as a |
37 |
> > non-root user, and sudo when you need root access, SELinux best |
38 |
> > practices says that you log into staff_r, and only change to the |
39 |
> > sysadm_r role when needed, and only for as long as necessary. |
40 |
> > |
41 |
-- |
42 |
Chris PeBenito |
43 |
<pebenito@g.o> |
44 |
Developer, |
45 |
Hardened Gentoo Linux |
46 |
|
47 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
48 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |