Got up at 5 AM, and thought I would try to write a new role

Got up at 5 AM, and thought I would try to write a new role

[Daniel J Walsh]

I wanted to try to create an auditadm_r.

I was surprised how easy it was.   Had to trim down the 
base_user_template, and add a couple of apache interfaces,
but basically ended up with the following.  Tried it out on an MLS 
machine and it seems to work pretty well.  I even
have it defined as a loadable module. Comments below.  One problem is we 
need an easier way of handling
/etc/selinux/mls/contexts/default_type.  Had to add httpdadm_r:httpdadm_t.

semanage users -m -R httpdadm_r SELINUXUSER

policy_module(httpdadm,1.0.0)

########################################
#
# Declarations
#
gen_require(`
        role staff_r;
        type staff_devpts_t, staff_tty_device_t, staff_t;
')


define(`role_change',`
        allow $1_r $2_r;
        type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
        type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
        # avoid annoying messages on terminal hangup
        dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
')
#####  Need to figure out a way make role_change a callable function.  
Perhaps just define staff_role_change and user_role_change

minimal_user_template(httpdadm)
####  Needed to strip down base_user_template.  Do not want to create 
homedirs and eliminate all of the optional policy.  Talked to Chris 
about breaking
####  base_user_template into a series of templates.
role_change(staff,httpdadm)
#### Would prefer staff_role_change (httpadm)

files_read_usr_files(httpdadm_t)
#### Probably should be defined in one of the base_user_templates, since 
this is pretty much required if you have a shell.

apache_manage_all_content(httpdadm_t)
apache_manage_log(httpdadm_t)
apache_manage_config(httpdadm_t)


##### Problems, I can't easily modify the running service.  IE I would 
figure the auditadmin would want to be able to start/stop/signal the 
service. 
##### But we do not have an easy way of doing only one service, and not 
all the rest.  Might have to add the ability to run su/sudo so if you 
newrole
##### first it will work.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [redhat-lspp] Got up at 5 AM, and thought I would try to write a new role

[Steve Grubb]

On Friday 16 June 2006 15:57, Daniel J Walsh wrote:
> I wanted to try to create an auditadm_r.

Didn't you mean httpdadm_r  :)

I think we should bust up the systemadm role a little more and make it 
composed of some other roles. RBAC says we are supposed to support 
composition, so we can use it here.

Some other roles might be backup admin, db admin. mail admin.

-Steve

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [redhat-lspp] Got up at 5 AM, and thought I would try to write a new role

[Daniel J Walsh]

Steve Grubb wrote:
> On Friday 16 June 2006 15:57, Daniel J Walsh wrote:
>   
>> I wanted to try to create an auditadm_r.
>>     
>
> Didn't you mean httpdadm_r  :)
>
> I think we should bust up the systemadm role a little more and make it 
> composed of some other roles. RBAC says we are supposed to support 
> composition, so we can use it here.
>
> Some other roles might be backup admin, db admin. mail admin.
>
> -Steve
>   
backupadm might be pretty tough, since I don't believe we run type 
enforcement on any backup tools
so you would need to be able to read/write every file on the system, and 
I see little benefit in this.

dbadmin would have to be better defined.  IE MySQL/Postgresql/Oracle ...

ditto for mail admin. 

Now doing a namedadm_r would be fairly easy.
Maybe even a dhcpd admin, but I am not sure if there would be demand for 
those.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [redhat-lspp] Got up at 5 AM, and thought I would try to write a new role

[Stephen John Smoogen]

On 6/16/06, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Steve Grubb wrote:
> > On Friday 16 June 2006 15:57, Daniel J Walsh wrote:
> >
> >> I wanted to try to create an auditadm_r.
> >>
> >
> > Didn't you mean httpdadm_r  :)
> >
> > I think we should bust up the systemadm role a little more and make it
> > composed of some other roles. RBAC says we are supposed to support
> > composition, so we can use it here.
> >
> > Some other roles might be backup admin, db admin. mail admin.
> >
> > -Steve
> >
> backupadm might be pretty tough, since I don't believe we run type
> enforcement on any backup tools
> so you would need to be able to read/write every file on the system, and
> I see little benefit in this.
>

I think for some servers, there is a need to restrict backup
priveledges to certain areas versus the entire system. [Areas being
easier to control security levels with.. but I could see where we
would want at least 4 different backup tools running: Open,
Confidential, Secret, TopSecret..] There might also be needs where
read is ok but write is not unless authorized by a different
mechanism.

Not sure if this needs a seperate backup_adm mode or other mechanisms.

-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.