creating a new role/user to administer a service

creating a new role/user to administer a service

[Ronan Waide]

Hi,

I've been digging through SELinux by example, the list archives, Dan
Walsh's livejournal, and the Fedora strict policy source, but I'm still
a bit stumped on how to get this working:

I'd like to create an administrative role/user for BIND. specifically, I
do not, if possible, want to use something like sysadm_r; I would rather
that otherwise unprivileged users are either designated as bindadm_u
from login, or newrole into bindadm_r in order to manage the daemon. The
former is preferable, as I was hoping to make use of ssh keys to enable
remote management without multiple password entry.

After several false starts I thought I had something with the following
(requires trimmed):

------
type bindadm_t;
role bindadm_r types { bindadm_t };
gen_user( bindadm_u, staff, bindadm_r, s0, s0 - s15:c0.c1023, c0.c1024
);

semanage login -a -s bindadm_u -r bindadm_r waider
------

I began tracking the AVC violations that logging in with this account
caused, and got as far as being able to get a shell prompt with the
context bindadm_u:bindadm_r:user_t. At this point I tried getting
newrole -t bindadm_t to work, but couldn't get past the password check
requirement (allow bindadm_r chkpasswd_exec_t) since nothing I did
seemed to resolve the violation.

At this point I am, as I said, stumped. I feel like I'm missing
something obvious, but after several weeks of reading I'm still no
closer to the answer. Perhaps someone could shed some light on this, or
perhaps point me at a suitable role/user-addition document?

Cheers,
Waider.
-- 
Ronan Waide / TechOps EU Systems Engineer / waider@amazon.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: creating a new role/user to administer a service

[Stephen Smalley]

On Thu, 2007-01-04 at 10:55 +0000, Ronan Waide wrote:
> Hi,
> 
> I've been digging through SELinux by example, the list archives, Dan
> Walsh's livejournal, and the Fedora strict policy source, but I'm still
> a bit stumped on how to get this working:
> 
> I'd like to create an administrative role/user for BIND. specifically, I
> do not, if possible, want to use something like sysadm_r; I would rather
> that otherwise unprivileged users are either designated as bindadm_u
> from login, or newrole into bindadm_r in order to manage the daemon. The
> former is preferable, as I was hoping to make use of ssh keys to enable
> remote management without multiple password entry.
> 
> After several false starts I thought I had something with the following
> (requires trimmed):
> 
> ------
> type bindadm_t;
> role bindadm_r types { bindadm_t };
> gen_user( bindadm_u, staff, bindadm_r, s0, s0 - s15:c0.c1023, c0.c1024
> );
> 
> semanage login -a -s bindadm_u -r bindadm_r waider
> ------
> 
> I began tracking the AVC violations that logging in with this account
> caused, and got as far as being able to get a shell prompt with the
> context bindadm_u:bindadm_r:user_t. At this point I tried getting
> newrole -t bindadm_t to work, but couldn't get past the password check
> requirement (allow bindadm_r chkpasswd_exec_t) since nothing I did
> seemed to resolve the violation.
> 
> At this point I am, as I said, stumped. I feel like I'm missing
> something obvious, but after several weeks of reading I'm still no
> closer to the answer. Perhaps someone could shed some light on this, or
> perhaps point me at a suitable role/user-addition document?

At present, I think you need to obtain and modify full policy sources
(from the selinux-policy .src.rpm or the upstream refpolicy tar ball) to
introduce completely new user roles - it is too pervasive of a change to
easily do in a loadable module. Look at
policy/modules/system/userdomain.te and policy/rolemap to see how
current roles are defined.

Chris (cc'd) has been working on a role infrastructure branch that will
improve the situation, but that isn't mainstream yet afaik. 

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: creating a new role/user to administer a service

[Karl MacMillan]

Stephen Smalley wrote:
> On Thu, 2007-01-04 at 10:55 +0000, Ronan Waide wrote:
>> Hi,
>>
>> I've been digging through SELinux by example, the list archives, Dan
>> Walsh's livejournal, and the Fedora strict policy source, but I'm still
>> a bit stumped on how to get this working:
>>
>> I'd like to create an administrative role/user for BIND. specifically, I
>> do not, if possible, want to use something like sysadm_r; I would rather
>> that otherwise unprivileged users are either designated as bindadm_u
>> from login, or newrole into bindadm_r in order to manage the daemon. The
>> former is preferable, as I was hoping to make use of ssh keys to enable
>> remote management without multiple password entry.
>>
>> After several false starts I thought I had something with the following
>> (requires trimmed):
>>
>> ------
>> type bindadm_t;
>> role bindadm_r types { bindadm_t };
>> gen_user( bindadm_u, staff, bindadm_r, s0, s0 - s15:c0.c1023, c0.c1024
>> );
>>
>> semanage login -a -s bindadm_u -r bindadm_r waider
>> ------
>>
>> I began tracking the AVC violations that logging in with this account
>> caused, and got as far as being able to get a shell prompt with the
>> context bindadm_u:bindadm_r:user_t. At this point I tried getting
>> newrole -t bindadm_t to work, but couldn't get past the password check
>> requirement (allow bindadm_r chkpasswd_exec_t) since nothing I did
>> seemed to resolve the violation.
>>
>> At this point I am, as I said, stumped. I feel like I'm missing
>> something obvious, but after several weeks of reading I'm still no
>> closer to the answer. Perhaps someone could shed some light on this, or
>> perhaps point me at a suitable role/user-addition document?
> 
> At present, I think you need to obtain and modify full policy sources
> (from the selinux-policy .src.rpm or the upstream refpolicy tar ball) to
> introduce completely new user roles - it is too pervasive of a change to
> easily do in a loadable module. Look at
> policy/modules/system/userdomain.te and policy/rolemap to see how
> current roles are defined.
> 
> Chris (cc'd) has been working on a role infrastructure branch that will
> improve the situation, but that isn't mainstream yet afaik. 
> 

And some tools to automate this process with is on my todo list for Madison.

I'd like to see this in the FC7 time frame (or F7 I guess since Core is 
no more), but we are going to run out of time quickly. Chris - when are 
you planning to move the role infrastructure work to mainline? Will it 
allow the creation of modules that create new roles without full 
sources? That is, in my opinion, a requirement for useful deployment.

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: creating a new role/user to administer a service

[Christopher J. PeBenito]

On Fri, 2007-01-05 at 10:55 -0500, Karl MacMillan wrote:
> Stephen Smalley wrote:
> > On Thu, 2007-01-04 at 10:55 +0000, Ronan Waide wrote:
> >> Hi,
> >>
> >> I've been digging through SELinux by example, the list archives, Dan
> >> Walsh's livejournal, and the Fedora strict policy source, but I'm still
> >> a bit stumped on how to get this working:
> >>
> >> I'd like to create an administrative role/user for BIND. specifically, I
> >> do not, if possible, want to use something like sysadm_r; I would rather
> >> that otherwise unprivileged users are either designated as bindadm_u
> >> from login, or newrole into bindadm_r in order to manage the daemon. The
> >> former is preferable, as I was hoping to make use of ssh keys to enable
> >> remote management without multiple password entry.
> >>
> >> After several false starts I thought I had something with the following
> >> (requires trimmed):
> >>
> >> ------
> >> type bindadm_t;
> >> role bindadm_r types { bindadm_t };
> >> gen_user( bindadm_u, staff, bindadm_r, s0, s0 - s15:c0.c1023, c0.c1024
> >> );
> >>
> >> semanage login -a -s bindadm_u -r bindadm_r waider
> >> ------
> >>
> >> I began tracking the AVC violations that logging in with this account
> >> caused, and got as far as being able to get a shell prompt with the
> >> context bindadm_u:bindadm_r:user_t. At this point I tried getting
> >> newrole -t bindadm_t to work, but couldn't get past the password check
> >> requirement (allow bindadm_r chkpasswd_exec_t) since nothing I did
> >> seemed to resolve the violation.
> >>
> >> At this point I am, as I said, stumped. I feel like I'm missing
> >> something obvious, but after several weeks of reading I'm still no
> >> closer to the answer. Perhaps someone could shed some light on this, or
> >> perhaps point me at a suitable role/user-addition document?
> > 
> > At present, I think you need to obtain and modify full policy sources
> > (from the selinux-policy .src.rpm or the upstream refpolicy tar ball) to
> > introduce completely new user roles - it is too pervasive of a change to
> > easily do in a loadable module. Look at
> > policy/modules/system/userdomain.te and policy/rolemap to see how
> > current roles are defined.
> > 
> > Chris (cc'd) has been working on a role infrastructure branch that will
> > improve the situation, but that isn't mainstream yet afaik. 
> > 
> 
> And some tools to automate this process with is on my todo list for Madison.
> 
> I'd like to see this in the FC7 time frame (or F7 I guess since Core is 
> no more), but we are going to run out of time quickly. Chris - when are 
> you planning to move the role infrastructure work to mainline? Will it 
> allow the creation of modules that create new roles without full 
> sources? That is, in my opinion, a requirement for useful deployment.

The backend has been merged for a while.  You should be able to do
something like:

policy_module(binadm,1.0.0)

userdom_unpriv_user_template(myuser)
gen_user(myuser_u,myuser,myuser_r,s0,s0 - mls_systemhigh,mcs_systemhigh)


The basic role components are marked with <rolebase/> xml tags and
interfaces that seemed more obvious were marked with <rolecap/> xml tags
so you can build up roles.  A template equivalent for sysadm and
user/staff still exist (as evidenced above).  It needs more frontend
tool support to make all this information more accessible.  A role
wizard is planned for SLIDE, but I believe the targeted release for that
feature is undecided.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: creating a new role/user to administer a service

[Karl MacMillan]

Christopher J. PeBenito wrote:
> On Fri, 2007-01-05 at 10:55 -0500, Karl MacMillan wrote:
>> Stephen Smalley wrote:
>>> On Thu, 2007-01-04 at 10:55 +0000, Ronan Waide wrote:
>>>> Hi,
>>>>
>>>> I've been digging through SELinux by example, the list archives, Dan
>>>> Walsh's livejournal, and the Fedora strict policy source, but I'm still
>>>> a bit stumped on how to get this working:
>>>>
>>>> I'd like to create an administrative role/user for BIND. specifically, I
>>>> do not, if possible, want to use something like sysadm_r; I would rather
>>>> that otherwise unprivileged users are either designated as bindadm_u
>>>> from login, or newrole into bindadm_r in order to manage the daemon. The
>>>> former is preferable, as I was hoping to make use of ssh keys to enable
>>>> remote management without multiple password entry.
>>>>
>>>> After several false starts I thought I had something with the following
>>>> (requires trimmed):
>>>>
>>>> ------
>>>> type bindadm_t;
>>>> role bindadm_r types { bindadm_t };
>>>> gen_user( bindadm_u, staff, bindadm_r, s0, s0 - s15:c0.c1023, c0.c1024
>>>> );
>>>>
>>>> semanage login -a -s bindadm_u -r bindadm_r waider
>>>> ------
>>>>
>>>> I began tracking the AVC violations that logging in with this account
>>>> caused, and got as far as being able to get a shell prompt with the
>>>> context bindadm_u:bindadm_r:user_t. At this point I tried getting
>>>> newrole -t bindadm_t to work, but couldn't get past the password check
>>>> requirement (allow bindadm_r chkpasswd_exec_t) since nothing I did
>>>> seemed to resolve the violation.
>>>>
>>>> At this point I am, as I said, stumped. I feel like I'm missing
>>>> something obvious, but after several weeks of reading I'm still no
>>>> closer to the answer. Perhaps someone could shed some light on this, or
>>>> perhaps point me at a suitable role/user-addition document?
>>> At present, I think you need to obtain and modify full policy sources
>>> (from the selinux-policy .src.rpm or the upstream refpolicy tar ball) to
>>> introduce completely new user roles - it is too pervasive of a change to
>>> easily do in a loadable module. Look at
>>> policy/modules/system/userdomain.te and policy/rolemap to see how
>>> current roles are defined.
>>>
>>> Chris (cc'd) has been working on a role infrastructure branch that will
>>> improve the situation, but that isn't mainstream yet afaik. 
>>>
>> And some tools to automate this process with is on my todo list for Madison.
>>
>> I'd like to see this in the FC7 time frame (or F7 I guess since Core is 
>> no more), but we are going to run out of time quickly. Chris - when are 
>> you planning to move the role infrastructure work to mainline? Will it 
>> allow the creation of modules that create new roles without full 
>> sources? That is, in my opinion, a requirement for useful deployment.
> 
> The backend has been merged for a while.  You should be able to do
> something like:
> 
> policy_module(binadm,1.0.0)
> 
> userdom_unpriv_user_template(myuser)
> gen_user(myuser_u,myuser,myuser_r,s0,s0 - mls_systemhigh,mcs_systemhigh)
> 

Great! Couple of questions / suggestions:

1) Can I do this with targeted? I'd like to start giving people a means 
of confining users on targeted.

2) What kind of customizations are available at this point. For example, 
I'd like to customize what applications a user can run (i.e., they can 
only log into an ssh terminal and use basic command line tools).

3) How would tool customizations work - I saw the info about the tags, 
but can you give me a broad overview of how you think this should work?

4) I'd really like to see a minimally confined user role for targeted. 
This would be a role / domain with very broad privileges that the user 
would run all applications in. It would _not_ have access to the trusted 
base (e.g., no access to the kernel image, kernel modules, the policy, 
etc.) so that it could not bypass the policy or effect the basic 
integrity of the system. Ideally, access could be moved into separate 
domains from that broad starting point as desired (e.g., removing 
networking access and run firefox in a confined domain).

Thanks - Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.