From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>, SE Linux <selinux@tycho.nsa.gov>
Subject: Role Creation Wizard
Date: Wed, 05 Sep 2007 16:13:09 -0400 [thread overview]
Message-ID: <46DF0DD5.3080207@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2546 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have been working on creating a role creation wizard, for policy
writers to be able to create user types and admin roles.
Working from a base line user (guest_t, xguest_t), You can assign
transitions to other domains (mozilla, ssh) or to admin roles webadm_t,
dbadm_t. Most of the work is done.
The admin roles will be able to manipulate there own service. I have
begun labeling initscripts.
ls -lZ /etc/init.d/httpd
- -rwxr-xr-x root root system_u:object_r:httpd_script_exec_t:s0
/etc/init.d/httpd
So a webadm_t will only be able to run /etc/init.d/httpd (Labeled
httpd_script_exec_t).
I don't want to require the use of run_init. Mainly because this
requires the entry of the password, (I don't want to give these admin
roles "rootok". So pam_rootok will not fix this problem. I am also not
sure if we transition to run_init, we can prevent the admin from
executing other init scripts.
So in my test environment I have created a terminal user mytuser_u; and
an admin user mydbadm_t, which can modify postgresql and mysql environments.
# semanage user -l | grep mytuser
mytuser_u mytuser s0 s0
mydbadm_r mytuser_r
Then I assign the rwalsh account to it
semanage login -l | grep mytuser
rwalsh mytuser_u s0
I log in as rwalsh,
sudo/newrole to mydbadm_t
When I try to start the init script, I fail with the following error.
service mysqld restart
env: /etc/init.d/mysqld: Permission denied
This is happening because of the following SELINUX_ERR
grep SELINUX /var/log/audit/audit.log
type=SELINUX_ERR msg=audit(1189021260.698:974): security_compute_sid:
invalid context mytuser_u:system_r:initrc_t:s0 for
scontext=mytuser_u:mydbadm_r:mydbadm_t:s0
tcontext=system_u:object_r:mysqld_script_exec_t:s0 tclass=process
Which indicates system_r is not available to mytuser_u.
So in order to get this to work, I will have to add system_r to every
admin user. Which seems to me to be a potential risk.
We have role_transition and type_transition but no user_transition.
Any ideas on better way to handle this, or is my only choice run_init,
or system_r for the admin user.
Attaching my generated policy along with mysql.if (Important part is the
mysql_admin interface.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG3w3UrlYvE4MpobMRAsLAAJ9gsOO4oiWKiCjWVsbtCigzCii++gCfRVi3
GH3cWZ/aaClg1xsZs9VuSnQ=
=QWyQ
-----END PGP SIGNATURE-----
[-- Attachment #2: mytuser.te --]
[-- Type: text/plain, Size: 402 bytes --]
policy_module(mytuser,1.0.0)
########################################
#
# Declarations
#
userdom_unpriv_login_user(mytuser)
########################################
#
# mytuser local policy
#
seutil_run_newrole(mytuser_t,mytuser_r,{ mytuser_devpts_t mytuser_tty_device_t })
userdom_role_change_template(mytuser, mydbadm)
optional_policy(`
sudo_per_role_template(mytuser,mytuser_t,mytuser_r)
')
[-- Attachment #3: mydbadm.te --]
[-- Type: text/plain, Size: 401 bytes --]
policy_module(mydbadm,1.0.0)
########################################
#
# Declarations
#
userdom_base_user_template(mydbadm)
########################################
#
# mydbadm local policy
#
optional_policy(`
postgresql_admin(mydbadm_t,mydbadm_r, { mydbadm_tty_device_t mydbadm_devpts_t })
')
optional_policy(`
mysql_admin(mydbadm_t,mydbadm_r, { mydbadm_tty_device_t mydbadm_devpts_t })
')
[-- Attachment #4: mysql.if --]
[-- Type: text/plain, Size: 4985 bytes --]
## <summary>Policy for MySQL</summary>
########################################
## <summary>
## Send a generic signal to MySQL.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_signal',`
gen_require(`
type mysqld_t;
')
allow $1 mysqld_t:process signal;
')
########################################
## <summary>
## Connect to MySQL using a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mysql_stream_connect',`
gen_require(`
type mysqld_t, mysqld_var_run_t;
')
stream_connect_pattern($1,mysqld_var_run_t,mysqld_var_run_t,mysqld_t)
')
########################################
## <summary>
## Read MySQL configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mysql_read_config',`
gen_require(`
type mysqld_etc_t;
')
allow $1 mysqld_etc_t:dir { getattr read search };
allow $1 mysqld_etc_t:file { read getattr };
allow $1 mysqld_etc_t:lnk_file { getattr read };
')
########################################
## <summary>
## Search the directories that contain MySQL
## database storage.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: "_dir" in the name is added to clarify that this
# is not searching the database itself.
interface(`mysql_search_db',`
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
')
########################################
## <summary>
## Read and write to the MySQL database directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_rw_db_dirs',`
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir rw_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete MySQL database directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_manage_db_dirs',`
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir manage_dir_perms;
')
########################################
## <summary>
## Read and write to the MySQL database
## named socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_rw_db_sockets',`
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
allow $1 mysqld_db_t:sock_file rw_file_perms;
')
########################################
## <summary>
## Write to the MySQL log.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_write_log',`
gen_require(`
type mysqld_log_t;
')
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
')
########################################
## <summary>
## Execute mysql server in the mysqld domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`mysql_script_domtrans',`
gen_require(`
type mysqld_script_exec_t;
')
init_script_domtrans_spec($1,mysqld_script_exec_t)
')
########################################
## <summary>
## All of the rules required to administrate an mysql environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the mysql domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the mysql domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`mysql_admin',`
gen_require(`
type mysqld_t;
type mysqld_var_run_t;
type mysqld_tmp_t;
type mysqld_db_t;
type mysqld_etc_t;
type mysqld_log_t;
type mysqld_script_exec_t;
')
allow $1 mysqld_t:process { ptrace signal_perms };
# Allow $1 to restart the apache service
mysql_script_domtrans($1)
domain_role_change_exemption($1)
domain_system_change_exemption($1)
domain_obj_id_change_exemption($1)
role_transition $2 mysqld_script_exec_t system_r;
allow $2 system_r;
manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t)
manage_files_pattern($1,mysqld_db_t,mysqld_db_t)
manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t)
manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t)
manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t)
manage_files_pattern($1,mysqld_log_t,mysqld_log_t)
manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
')
[-- Attachment #5: mytuser.te.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]
[-- Attachment #6: mydbadm.te.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]
[-- Attachment #7: mysql.if.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]
next reply other threads:[~2007-09-05 20:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-05 20:13 Daniel J Walsh [this message]
2007-09-11 17:30 ` Role Creation Wizard Stephen Smalley
2007-09-11 18:15 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46DF0DD5.3080207@redhat.com \
--to=dwalsh@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.