SELinux System Administration by Sven Vermeulen

Author:Sven Vermeulen [Vermeulen, Sven]
Language: eng
Format: epub
ISBN: 9781783283170
Amazon: 1783283173
Publisher: Packt Publishing
Published: 2013-09-23T15:00:00+00:00

This line of code mentions that when a user logs in through a process running in the sshd_t domain (or the process wants to set the user context because it needs to run something as a particular user), then the first role that matches a role that the user is assigned to is used.

Assume that we are assigned the roles staff_r and sysadm_r then we will log in as staff_r:staff_t, as that is the first match.

Next to the default_contexts file, there are also similar files in the users/ subdirectory. These files are named after the SELinux user for which they take effect. If such a file exists, then its lines take precedence over the default_contexts file. This allows us to assign different contexts for particular SELinux users even if they share the same roles with other SELinux users. And because the precedence is line-based, we do not need to copy the entire content of the default_contexts file, only the line that is different is sufficient.

Let’s modify the default contexts so that the dbadm_u SELinux user logs in with the dbadm_r role (with the dbadm_t type) when logged in through SSH. To do so, use the sshd_t line but set dbadm_r:dbadm_t:s0 as the only possible context and save the result as /etc/selinux/targeted/contexts/users/dbadm_u:

system_r:sshd_t:s0 dbadm_r:dbadm_t:s0

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.