Hi all,
I'm rather new to SELinux and decided it was time to get acquainted with this material.
While playing around with confining users I ran into the following unexpected result:
I created a regular user and applied the following commands to restrict this user to the user_u role and check the result:
Code:
# semanage login -a -s user_u tstuser
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
tstuser user_u s0
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
If I log in as tstuser all works as expected:
Code:
$ whoami
tstuser
$ id -Z
user_u:user_r:user_t:s0
$ su -
-bash: su: command not found
The following, however, was
not what I expected:
After logging in as a different, unconfined user and then log in as tstuser using
su - tstuser all the confinement for tstuser is gone.
Code:
$ ssh druuna@192.168.122.100
druuna@192.168.122.100's password:
[druuna ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[druuna ~]$ su - tstuser
Password:
[tstuser ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[tstuser ~]$ su -
Password:
[root ~]#
To make sure all settings are applied I:
- logged out all users and redid the above login steps-> same result
- rebooted and redid all the login steps -> same result
Am I overlooking something, 'cause this "feels" wrong.
Or is this by design? And if so, what is the logic behind this?
Using the staff_u role instead of the user_u role doesn't make any difference.
Tests are executed on (virtualized) RHEL 6.2