On Sun, Jul 22, 2012 at 01:55:08PM +0200, Ivan Gooten wrote:
[...]
> which results in console for user root context like
> "root:sysadm_r:sysadm_t",
That's good.
> whereas in X11 terminal, (after switching from ivan user to root by su -)
> -> "staff_u:staff_r:staff_t".
That's almost good ;-)
> I understand that in X11 term I'll have to "newrole -r sysadm_r" for root
> everytime, when I will want to administrate the system?
Yes, you need to switch roles (first switch roles, then use su(do)) every
time you need to do administrative changes (or queries) on the system. The
staff_r role is for regular operations (user) whereas sysadm_r is for system
administration.
> And what about the context's difference between root (root:...) logged from
> console and root (staff_u:...) logged via x11 terminal - is that wrong?
No, that's not wrong. If you log on directly as root, then your SELinux user
(the first part in the context) is "root". If you log on as someone else,
you get that SELinux user (such as "staff_u") which remains throughout your
session (SELinux users don't change, even when you do "su").
Wkr,
Sven Vermeulen
