Newrole in targeted mode

Newrole in targeted mode

[Nick Gray]

I am trying this as root.

newrole -r sysadm_r -t sysadm_t

It seems to work, but my context doesn't change and I can't change the
enforce to 0. Isn't this still how it is done with the targeted policy?

Nix

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Newrole in targeted mode

[Stephen Smalley]

On Tue, 2004-12-28 at 13:42, Nick Gray wrote:
> I am trying this as root.
> 
> newrole -r sysadm_r -t sysadm_t
> 
> It seems to work, but my context doesn't change and I can't change the
> enforce to 0. Isn't this still how it is done with the targeted policy?

newrole serves no purpose under targeted policy; users are unconfined.
setenforce 0 should work for you as root (from unconfined_t, of course,
which is what you should already be in for a user session).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Newrole in targeted mode

[Jaspreet Singh]

Hi,

I tried to search and couldn't find any threads on this question ..

What are the basic differences between targeted and strict policies ..

All I know is .. there are lesser targeted domains/roles in target
policy compared to strict and as a result most domains run in an
unconfined_t domain.

Am I missing something ...

On Tue, 2004-12-28 at 13:50 -0500, Stephen Smalley wrote:
> newrole serves no purpose under targeted policy; users are unconfined.
> setenforce 0 should work for you as root (from unconfined_t, of course,
> which is what you should already be in for a user session).

You can add new users and roles in target policy also ... 
In that case newrole should work as per the modified policies .. I am wrong ??

Regards,
Jaspreet

-- 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Newrole in targeted mode

[Matthew Leinhos]

Hi Jaspreet,

I'm fairly new to SELinux, but I'll try to answer your question.

The goal in running SELinux under a targeted policy is to shield specific
processes, generally daemons available to the network, under the
protections of SELinux. In other words, its goal is to make it so that a
remote break-in via a daemon vulnerability is not catestrophic to the
system's security.

The goal of the strict policy is to protect the system against not only
vulnerabilities in daemons, but also against malicious (but possible
legitamate) users. So, the strict policy is more elaborate and will
provide more protections to the system, once its bugs have been wrinkled
out.

These policies are in development on Fedora Core 3. Refer to

http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2801831

for more information.

-Matt


On Thu, 30 Dec 2004, Jaspreet Singh wrote:

> Hi,
>
> I tried to search and couldn't find any threads on this question ..
>
> What are the basic differences between targeted and strict policies ..
>
> All I know is .. there are lesser targeted domains/roles in target
> policy compared to strict and as a result most domains run in an
> unconfined_t domain.
>
> Am I missing something ...
>
> On Tue, 2004-12-28 at 13:50 -0500, Stephen Smalley wrote:
> > newrole serves no purpose under targeted policy; users are unconfined.
> > setenforce 0 should work for you as root (from unconfined_t, of course,
> > which is what you should already be in for a user session).
>
> You can add new users and roles in target policy also ...
> In that case newrole should work as per the modified policies .. I am wrong ??
>
> Regards,
> Jaspreet
>
> --
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Newrole in targeted mode

[Karsten Wade]

On Thu, 2004-12-30 at 12:07 +0530, Jaspreet Singh wrote:
> Hi,
> 
> I tried to search and couldn't find any threads on this question ..
> 
> What are the basic differences between targeted and strict policies ..
> 
> All I know is .. there are lesser targeted domains/roles in target
> policy compared to strict and as a result most domains run in an
> unconfined_t domain.

Everything runs in unconfined_t unless there is a transition specified
to go to the new domain.  This transition is specified for only a small
number of daemons.

Other things are simplified.  In the targeted policy, there are fewer
rules overall, fewer file contexts, and so forth.

> On Tue, 2004-12-28 at 13:50 -0500, Stephen Smalley wrote:
> > newrole serves no purpose under targeted policy; users are unconfined.
> > setenforce 0 should work for you as root (from unconfined_t, of course,
> > which is what you should already be in for a user session).
> 
> You can add new users and roles in target policy also ... 
> In that case newrole should work as per the modified policies .. I am wrong ??

Because processes at all levels, whether spawned by init or a user, run
in the unconfined_t domain, the role has no meaning.  AIUI, a user does
not need an elevated role for what they do.

- Karsten
-- 
Karsten Wade, RHCE, Sr. Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Newrole in targeted mode

[Jaspreet Singh]

Hi,
Thanx matthew and karsten ...

> Everything runs in unconfined_t unless there is a transition specified
> to go to the new domain.  This transition is specified for only a small
> number of daemons.
> Other things are simplified.  In the targeted policy, there are fewer
> rules overall, fewer file contexts, and so forth.

Ok, I realized that after seeing the sources for target and strict
policies... 

> Because processes at all levels, whether spawned by init or a user, run
> in the unconfined_t domain, the role has no meaning.  AIUI, a user does
> not need an elevated role for what they do.

I understand that .. But does the system makes *any* assumptions about
the target or strict policies ??

I mean .. does the system distinguish between target and strict
policies ??? If I am not wrong the system just want some basic security
classes in place which are same for target and strict policies.

So, i can just borrow code from strict policy to add more domains and
roles to target policy.

I am right ??

And Also how can i make the selinux understand a policy tree
*intermediate* under /etc/selinux/  and load policy from there ....

> - Karsten
Thanx and Regards,
Jaspreet
-- 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Newrole in targeted mode

[Stephen Smalley]

On Mon, 2005-01-03 at 00:11, Jaspreet Singh wrote:
> I understand that .. But does the system makes *any* assumptions about
> the target or strict policies ??

No, the enforcement mechanism is the same, only the policy differs.  But
the policies differ substantially, including boot-time definitions like
initial SID contexts that cannot be changed without a reboot, and they
differ structurally, e.g. targeted policy has nothing set up for user
roles at present.  It should be easier to take strict policy and strip
down the set of program domains than to add user roles to targeted
policy, IMHO.

> So, i can just borrow code from strict policy to add more domains and
> roles to target policy.
> 
> I am right ??

Strictly speaking, yes.  But strict policy already gives you what you
want structurally, i.e. user roles and domains as well as program
domains, and you can strip down the set of program domains.  In
contrast, targeted policy only gives you program domains and nothing for
users, so you have to do more work to do what you describe (IMHO).

> And Also how can i make the selinux understand a policy tree
> *intermediate* under /etc/selinux/  and load policy from there ....

Just create the directory, populate it with your policy files, and set
SELINUXTYPE to it in /etc/selinux/config.  Then reboot to single-user
mode (with enforcing=0) and relabel against your policy, and reboot
again.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.