Software: Apache/2.0.54 (Fedora). PHP/5.0.4 uname -a: Linux mina-info.me 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 i686 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/share/setools/ drwxr-xr-x | |
| Viewing file: Select action/file-type: SELinux User Manager Help File seuser, Version 0.6 August 31, 2005 selinux@tresys.com ---------------------------------- The seuser tool is intended to help an administrator manage user accounts with the SELinux security policy. The tool ensures that all required policy elements are defined for a user before committing the changes and installing the new policy. WARNING: This is very much a first generation tool. We apologize for the likely bugs. Use with caution. Send bug reports to selinux@tresys.com. Changes in Default Login Contexts --------------------------------- Circa October 2002, the way SELinux handles default login contexts changed. Previously (the old method), there was a default context file for both cron and login in /etc/security that defined default login contexts for users. If a default context wasn't defined, the user could not login. Now (the new method), those files are no longer used and instead a default_contexts (with an "s") is in /etc/security. This defines preferences for default contexts for all users depending on the type of the login process. Users can also override these system- wide defaults with a similar file in their home directory. THIS RELEASE OF SEUSER SUPPORTS ONLY THE CURRENT (POST-OCTOBER 2002) METHOD OF DEFINING DEFAULT USER CONTEXTS. Command line versus GUI ----------------------- You can run seuser from the command line, or invoke a GUI (seuser -X). This help file describes the GUI. Run seuser -h for command line help. In addition, we provide a set of command line shell scripts (seuseradd, seusermod, and seuserdel) that provide a single interface between the standard Linux user management programs and seuser, and provide all the functionality of the seuser GUI. Run each of those scripts with the -h flag to see their options. SELinux Users Overview and Terminology -------------------------------------- In seuser, the following user terms are used: System Users, SELinux Users, Special Users, Generic Users, Defined Users, and Undefined Users. The term "System User" means a Linux user account as found in /etc/passwd. The term "SELinux User" means a user defined in the SELinux security policy (whether or not it is a System User). A "Defined User" is a System User that is also a SELinux User. There are two "Special Users": system_u and user_u. "System_u" must be defined; user_u may or may not be defined in the policy. The "system_u" user type is the SELinux identity assigned to system processes (e.g., those started by init). The "user_u" user type is used to determine whether "Generic Users" are allowed. If user_u IS defined in the policy, then any System User account that IS NOT defined in the policy will get the roles and default contexts defined for user_u. If user_u IS NOT defined in the policy, then all System Users must be explicitly defined in the policy in order to login. "Generic Users" are System Users not defined in the policy when user_u is defined. "Undefined Users" are those same System Users not defined in the policy, except when user_u is not defined (and therefore those accounts may not be used for login). Tool Overview ------------- The seuser graphical user interface presents a view of all the users defined on the Linux platform. The tool includes a Policy Type column: All user accounts are typed as Special, Defined, Undefined or Generic as discussed above. The Roles column shows the available roles for each user. The Groups column shows the Linux groups in which the user is a member. The buttons on the main screen allow you to add, view/change, or delete users; perform advance policy management (e.g., modify policy defaults for Generic Users); manually load the policy (which happens automatically on exit); and exit. When the tool first starts, it reads the user databases from various locations (as defined in the seuser.conf file in the installed library directory--see the setools README file) and displays the information. If the tool cannot find the seuser.conf file or one of the indicated user database files, it will report an error and exit. Add --- The Add button allows you to add a new user. You can add a Defined User, or a Generic/Undefined user depending on whether the Generic User (user_u) is enabled. Enter the user name in the text box, and include a comment to appear in the passwd file if you wish (as per -c with useradd). The Initial Group defaults to the User Name (as per RedHat useradd)--you can change this with the dropdown box or by unchecking the Create New Group button. You can assign Additional Groups to the user by selecting a group from the Available Groups pane and clicking the right arrow between the two panes. To remove the user from an Additional Group, select the group you wish to remove and click the left arrow between the panes. If you add a Generic/Undefined User, the Roles panes are disabled. If you add a Defined User, you must specify at least one Assigned Role. Add and remove Assigned Roles the same way you add and remove groups. The Advanced Options tab allows you to specify additional user characteristics as defined in the useradd command. Once you have made all the entries for this user, you must commit the changes with the Add button. The Cancel button will discard the changes and allow you to start entering a new user. You must Exit the Add new user window before you can select another user in the User Manager window. View/Change ----------- You can view and edit the details of any user by double-clicking on the user row in the User Manager window or selecting the user row and clicking on the View/Change button. The User Information window allows you to change the type of user between Defined and Generic/Undefined, change the user comment in the passwd file, and edit groups and roles. The editing process is the same as in the Add new user window. Changes are only effective when you Commit them. If you Cancel, the window returns to the original (or last saved) information. You must Exit the User Information window to select a new user on the User Manager window. Delete ------ To delete a user, select the user row in the User Manager window and click the Delete button. You can choose to remove the home directory and contents by clicking the selection button on the confirmation dialog or leave them in place (which is the default). If you press Yes in the confirmation dialog, the user is removed from the system. If you Cancel, the user remains in the system unchanged. seuser will not allow you to delete root or system_u. If you really want to remove either of these users, you'll have to use other means. The underlying userdel program may have additional restrictions. Advanced -------- The Advanced Management window allows you to control the behavior of Generic Users, and to directly manipulate only the SELinux policy. The Generic Users tab shows the current status of Generic Users. When enabled, the policy allows Generic Users (non-SELinux users who assume the user_u roles and contexts when logging in) to log in. You must provide at least one Assigned Role for user_u when enabled. You move roles between the Role panes in the same manner as when adding or changing users. If Generic Users are enabled, click the Disable button to disable them. This will remove user_u from the policy and prevent users not explicitly defined in the policy from logging in. You must click the Commit button to make the change, or the Cancel button to discard the change. The SELinux Users tab allows you to add or remove users from the policy without adding or removing them from the system. To add a System User to the policy, select the user in the System Users pane and click the right arrow. You must specify at least one Assigned Role when adding a user to the policy. To remove an SELinux User from the policy, select the user in the SELinux Users pane and click the left arrow. For each user change, you must click the Commit button to make the changes or the Cancel button to discard them. You must Exit the Advanced Management window before you can select a new user in the User Manager window. Update Policy ------------- Whenever you commit a change, the changes to the system portion of the user database are permanently committed. Likewise the SELinux policy information is also permanently committed, however those changes are not loaded into the kernel. Upon exit, the tool will load all the changes into the kernel (those changes would also take effect on a reboot---as we said they are permanent once committed). You can use the Update Policy button to manually load all changes so far into the kernel (as if you exited the tool or rebooted the system). Exit ---- Press the Exit button to exit the seuser GUI. If you have not explicitly loaded policy changes to the kernel, exiting will do so. |
:: Command execute :: | |
--[ c99shell v. 1.0 pre-release build #16 powered by Captain Crunch Security Team | http://ccteam.ru | Generation time: 0.0035 ]-- |