Bug 119851 - SELinux FAQ - RH change to SELinux identity security
Summary: SELinux FAQ - RH change to SELinux identity security
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
(Show other bugs)
Version: devel
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Karsten Wade
QA Contact: Tammy Fox
URL: http://people.redhat.com/kwade/fedora...
Whiteboard:
Keywords:
Depends On:
Blocks: 118757
TreeView+ depends on / blocked
 
Reported: 2004-04-02 17:01 UTC by James Morris
Modified: 2007-04-18 17:05 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-03 01:58:35 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description James Morris 2004-04-02 17:01:16 UTC
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

We need to add an entry for this:
https://listman.redhat.com/archives/fedora-selinux-list/2004-April/msg00031.html



Version-Release of FAQ (found on
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ln-legalnotice.html):

 selinux-faq-1.0-2 (2004-03-30-T16:20-0800)

Comment 1 Karsten Wade 2004-04-02 23:46:23 UTC
This question is posed to follow the example where su is used with the
context transition prior to running useradd (i.e., the question  "How
can I create a new Linux user account with the user's home directory
having the proper context?").  

Here is the current proposed entry:

## begin

Q:. All of the other SELinux documentation states that the su command
will only change Linux identity not security role.

A:. The Fedora Core development team has taken a slightly different
direction than existing SELinux practice. Security context transitions
are now integrated into su via pam_selinux.

In practice, this is like combining the traditional su with the
SELinux newrole, as one step instead of two. 

## end

Comment 2 James Morris 2004-04-02 23:55:45 UTC
I'd mention that we've done this to make it markedly simpler to use
the system, and that other forms of Unix identity change (e.g.
setuid(2)) do not cause an SELinux identity change.


Comment 3 Karsten Wade 2004-04-03 01:58:35 UTC
Done.

Included in next build of the FAQ (1.0-3).


Note You need to log in before you can comment on or make changes to this bug.