As part of the merger of Strict and Targeted policy I have gone about reorganizing user definitions.

As part of the merger of Strict and Targeted policy I have gone about reorganizing user definitions.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 7003 bytes --]

One of my goals with the next version of policy is to allow the easy
creation of selinux users/roles.  I think the way that strict policy did
this was wrong, and led to user_t and staff_t being basically the same
role/type other then differences in home directory context, and the
ability to become sysadm_t.

Login Users:
My goal has been to create several "login" users.  Where I define a
login user as someone who is able to "login" to the system via one or
more of the  login programs (sshd, login, rshd, xdm).  Users I have defined.

guest_u - Login only via terminal or sshd.  No XWindows,  No Network, No
setuid apps.
xguest_u - Login via Xwindows only, No login via ssh, login...  No
Networking.
                    Three Booleans for xguest_mozilla_t
                    browser_xguest_transition  - Whether or not firefox
will transition/run
                    browser_xguest_readonly  - Read only on the Home
Dirs.  Write to directories labeled mozilla_rw_t
                    browser_xguest_readwrite Read/Write Home DIrectories.
                    One of the goals of this user is to also work with
pam_namespace, so that when the user logs out the homedirectory and /tmp
disappears.
                    Two possible users of this user would be with
switchuser,  Some comes up to you and asks to use your machine, you say
sure, switch to the guest account, let them do anything they want.  When
they are done you switch back, desctroying anything they might have left
behind.
                    Second example would be a kiosk/library public
machine.  Where all it runs is Mozilla.  User comes up to machine, hits
Ctrl-Alt-Backspace.  XWindows dies and automatically logs into machine
with browser running.

user_u  - Similar to current user except no transitions to setuid
applications (su, sudo, userhelper)  mozilla transition also optional.
Networking available.  Envisioned user would be a student or any user
who does not need root privs.

staff_u - Current policy is fine with optional mozilla transition.

Unconfined_u/system_u - Current unconfined user.

Any and all of the users should be able to run and inter-operate on the
machine at any time.

Root Users:

     One of the major goals of SELinux has always been to confine the
root user.  Up to now SELinux has done a good job of confining the
daemon applications that need to run as root.  If/when these become
compromized they are limited by least privledge.  No policy up to now
has been able to do is to confine the root logged in user.  We have
defined sysadm_t which is pretty close to unconfined_t and mls has
defined auditadm.  (secadm has also been defined, but really not used.)

With the release of selinux-policy-3.0.1 I am introducing the following
root user types

sysadm_t - Same as was in strict policy.  staff_t can can transition here

webadm_t - Root shell, can execute all bin programs. can start and stop
httpd, can manage all     files in all directories labeled with an http
file type.  Eventually this admin user should be able to manage the http
booleans

logadm_t - Root Shell, can execute all bin programs, can start and stop
syslog and audit daemons.  Can manage all files labeled with a logfile type.

Future root user types bindadm, dbadm, backupadm.

----------------------------------------------------------------------------------------------------------------------------------------
My goal with this was to find an easy way for users/third parties to
start to define user types,  we need several changes to the userdomain
interface file.

We need one interfaces to define the minimal requirements to get a
logged in user
userdom_unpriv_login_user


So the entire guest.te file is just

> policy_module(guest,1.0.0)
>
> userdom_unpriv_login_user(guest)


The xguest.te file is something like

> policy_module(xguest,1.0.0)
>
> userdom_unpriv_login_user(xguest)
> userdom_xwindows_client_template(xguest)
>
> optional_policy(`
>     ssh_per_role_template(xguest, xguest_t, xguest_r)
> ')
>
> optional_policy(`
>     gnome_per_role_template(xguest, xguest_t, xguest_r)
> ')
>
> optional_policy(`
>     dbus_per_role_template(xguest, xguest_t, xguest_r)
> ')


If I wanted to define a ssh account (gadmin) for a user to enter a
system and then allow them to sudo and newrole to a confined root user
(webadm ), the policy would look like
>
> policy_module(gadmin,1.0.0)
>
> userdom_unpriv_login_user(gadmin)
> sudo_per_role_template(gadmin, gadmin_t, gadmin_r)
> seutil_run_newrole(gadmin_t, gadmin_r, { gadmin_devtty_t 
> gadmin_tty_device_t })
> gen_require(`
>     type gadmin_t;
> ')
> allow gadmin_t webadm_t:process transition;
> allow webadm_t gadmin_t:dir getattr;


As for defining root confined user, the only interface you need is
userdom_base_user_template
Then you begin building up the rules from this.
>
> policy_module(webadm,1.0.0)
>
> ########################################
> #
> # webadmin local policy
> #
>
> userdom_login_user_template(webadm)
> allow webadm_t self:capability { dac_override dac_read_search kill 
> sys_ptrace sys_nice };
>
> # Allow webadm_t to restart the apache service
> domain_dontaudit_search_all_domains_state(webadm_t)
> apache_domtrans(webadm_t)
> init_exec_script_files(webadm_t)
> domain_role_change_exemption(webadm_t)
> domain_obj_id_change_exemption(webadm_t)
> role_transition webadm_r httpd_exec_t system_r;
> allow webadm_r system_r;
>
> apache_manage_all_content(webadm_t)
> apache_manage_config(webadm_t)
> apache_manage_log(webadm_t)
> apache_manage_modules(webadm_t)
> apache_manage_lock(webadm_t)
> apache_manage_pid(webadm_t)
> apache_read_state(webadm_t)
> apache_signal(webadm_t)
> apache_getattr(webadm_t)
> apache_relabel(webadm_t)
>
> seutil_domtrans_restorecon(webadm_t)
>
> files_dontaudit_search_all_dirs(webadm_t)
> files_dontaudit_getattr_all_files(webadm_t)
> files_manage_generic_locks(webadm_t)
> files_list_var(webadm_t)
> selinux_get_enforce_mode(webadm_t)
>
> logging_send_syslog_msg(webadm_t)
>
> ifdef(`targeted_policy',`
>     term_use_generic_ptys(webadm_t)
>     term_use_unallocated_ttys(webadm_t)
> ')
>
> userdom_dontaudit_search_sysadm_home_dirs(webadm_t)
> userdom_dontaudit_search_generic_user_home_dirs(webadm_t)
>
> bool webadm_read_user_files false;
> bool webadm_manage_user_files false;
>
> if (webadm_read_user_files) {
>     userdom_read_unpriv_users_home_content_files(webadm_t)
>     userdom_read_unpriv_users_tmp_files(webadm_t)
> }
>
> if (webadm_manage_user_files) {
>     userdom_manage_unpriv_users_home_content_dirs(webadm_t)
>     userdom_read_unpriv_users_tmp_files(webadm_t)
>     userdom_write_unpriv_users_tmp_files(webadm_t)
> }

One of the shortcomings of the current way we are building policy is
that the Makefile searches for all per_role_ functions, and we end up
with user_t having the ability to execute su and sudo, which I don't
believe it should be able to .  I think this should be removed and we
have to explicitly define all domain transitions like I have above.



[-- Attachment #2: userdomain.if.gz --]
[-- Type: application/x-gzip, Size: 12816 bytes --]