Inconsistency in Linux user security context when mapped with SELinux user

@

@artist

Guest
Hi everyone,
I'm new member to this community, And I'm in intermediate level in Linux......
For experiment purpose I mapped a linux user (selinuxtest) to SElinux user (guest_u). Which means the security context of Linux user should change accordingly right? When I logged-in in terminal (Text mode) the security context shows as "guest_u:guest_r:guest_t: s0" which is expected...but when I login in a virtual terminal (using another Linux user since guest_u is not allowed x window; then switch to particular user) It still shows "unconfined_u:unconfined_r:unconfined_t: s0-s0:c0.c1023" as SELinux security context.

So, My question is, why this inconsistency?​
 


If you are logging into an X-session (GUI or desktop) and open a virtual terminal, that terminal process is owned by the user that logged-in to the GUI/desktop. If you then log in as a user within that virtual terminal (perhaps by using "su" or similar commands), the ownership of files and process can seem strange due to the odd circumstances of logging in as a user by using another user.

For instance, I log into my system (Ubuntu with the Unity user-interface) as "collier". I then open a virtual terminal (gnome-terminal) and execute "sudo nautilus". This opens my GUI file-manager as the Root user. The thumbnails and temporary files in /home/collier/ are owned by "Root". In the Nautilus file-manager, if I click "Home", I am taken to /home/collier/. However, the process is running with Root privileges and created files will be owned by "Root".

The Nautilus GUI process got the location of home from the environment in the virtual terminal. For example, open a virtual terminal and type "echo $HOME". This variable is in the virtual terminal's environment and GUI processes that start in this environment inherit all variables.

I am not too familiar with the inner-workings of SELinux, but I assume that the odd behavior you see is due to the environment in the virtual terminal. The virtual terminal will contain the information for the user that logged-in the GUI session. The user that logs into the virtual terminal may inherit many of the other user's info. This circumstance may trigger SELinux to assign unusual user-contexts.

Try opening a virtual terminal and running a different shell (such as ash or csh). Then, log in as a user in the new shell.

NOTE: To prevent the GUI issues I mentioned, use "gksudo" instead of "sudo" and "gksu" instead of "su" when running GUI processes as another user.

By the way, here is a guide that lists all of Linux.org's articles by subject and recommended reading-order - http://www.linux.org/threads/reading-guides-indexes.6034/

Also, you may want to use an alternative to SELinux - http://www.linux.org/threads/the-linux-kernel-security.4223/
 

Members online


Top