411365 – SELinux Handbook: staff_u should be used only for strict policy, not targeted

Bug 411365 - SELinux Handbook: staff_u should be used only for strict policy, not targeted

Summary: SELinux Handbook: staff_u should be used only for strict policy, not targeted

Status:	RESOLVED FIXED

Alias:	None

Product:	Documentation
Classification:	Unclassified
Component:	Project-specific documentation (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:	http://www.gentoo.org/proj/en/hardene...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-04-09 17:28 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified:	2012-04-10 20:19 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-04-09 17:28:00 UTC

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=1 tells people to run the following commands:

~# semanage login -a -s staff_u john
~# restorecon -R -F /home/john

That makes sense for the strict policy, where otherwise that Linux user would have user_u SELinux user.

However, when using targeted policy, the default SELinux user is unconfined_u, which is obviously unrestricted. Surprisingly (for me), staff_u is actually more restricted than unconfined_u.

I can produce a C program demonstrating the issue in more detail (using setcon fails under staff_u but succeeds with unconfined_u), but hopefully the above is convincing enough.

Please let me know if you need more info, I'd be happy to provide it. I'm still learning SELinux, so I'm aware it may be just my newbie mistake.

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-04-10 20:19:54 UTC

Fixed in CVS