Bug 411365

Summary:	SELinux Handbook: staff_u should be used only for strict policy, not targeted
Product:	Documentation	Reporter:	Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component:	Project-specific documentation	Assignee:	Sven Vermeulen (RETIRED) <swift>
Status:	RESOLVED FIXED
Severity:	normal	CC:	selinux
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=1
Whiteboard:
Package list:		Runtime testing required:	---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-04-09 17:28:00 UTC

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=1 tells people to run the following commands:

~# semanage login -a -s staff_u john
~# restorecon -R -F /home/john

That makes sense for the strict policy, where otherwise that Linux user would have user_u SELinux user.

However, when using targeted policy, the default SELinux user is unconfined_u, which is obviously unrestricted. Surprisingly (for me), staff_u is actually more restricted than unconfined_u.

I can produce a C program demonstrating the issue in more detail (using setcon fails under staff_u but succeeds with unconfined_u), but hopefully the above is convincing enough.

Please let me know if you need more info, I'd be happy to provide it. I'm still learning SELinux, so I'm aware it may be just my newbie mistake.

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-04-10 20:19:54 UTC

Fixed in CVS