* Role Creation Wizard
@ 2007-09-05 20:13 Daniel J Walsh
2007-09-11 17:30 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2007-09-05 20:13 UTC (permalink / raw)
To: Stephen Smalley, SE Linux
[-- Attachment #1: Type: text/plain, Size: 2546 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have been working on creating a role creation wizard, for policy
writers to be able to create user types and admin roles.
Working from a base line user (guest_t, xguest_t), You can assign
transitions to other domains (mozilla, ssh) or to admin roles webadm_t,
dbadm_t. Most of the work is done.
The admin roles will be able to manipulate there own service. I have
begun labeling initscripts.
ls -lZ /etc/init.d/httpd
- -rwxr-xr-x root root system_u:object_r:httpd_script_exec_t:s0
/etc/init.d/httpd
So a webadm_t will only be able to run /etc/init.d/httpd (Labeled
httpd_script_exec_t).
I don't want to require the use of run_init. Mainly because this
requires the entry of the password, (I don't want to give these admin
roles "rootok". So pam_rootok will not fix this problem. I am also not
sure if we transition to run_init, we can prevent the admin from
executing other init scripts.
So in my test environment I have created a terminal user mytuser_u; and
an admin user mydbadm_t, which can modify postgresql and mysql environments.
# semanage user -l | grep mytuser
mytuser_u mytuser s0 s0
mydbadm_r mytuser_r
Then I assign the rwalsh account to it
semanage login -l | grep mytuser
rwalsh mytuser_u s0
I log in as rwalsh,
sudo/newrole to mydbadm_t
When I try to start the init script, I fail with the following error.
service mysqld restart
env: /etc/init.d/mysqld: Permission denied
This is happening because of the following SELINUX_ERR
grep SELINUX /var/log/audit/audit.log
type=SELINUX_ERR msg=audit(1189021260.698:974): security_compute_sid:
invalid context mytuser_u:system_r:initrc_t:s0 for
scontext=mytuser_u:mydbadm_r:mydbadm_t:s0
tcontext=system_u:object_r:mysqld_script_exec_t:s0 tclass=process
Which indicates system_r is not available to mytuser_u.
So in order to get this to work, I will have to add system_r to every
admin user. Which seems to me to be a potential risk.
We have role_transition and type_transition but no user_transition.
Any ideas on better way to handle this, or is my only choice run_init,
or system_r for the admin user.
Attaching my generated policy along with mysql.if (Important part is the
mysql_admin interface.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG3w3UrlYvE4MpobMRAsLAAJ9gsOO4oiWKiCjWVsbtCigzCii++gCfRVi3
GH3cWZ/aaClg1xsZs9VuSnQ=
=QWyQ
-----END PGP SIGNATURE-----
[-- Attachment #2: mytuser.te --]
[-- Type: text/plain, Size: 402 bytes --]
policy_module(mytuser,1.0.0)
########################################
#
# Declarations
#
userdom_unpriv_login_user(mytuser)
########################################
#
# mytuser local policy
#
seutil_run_newrole(mytuser_t,mytuser_r,{ mytuser_devpts_t mytuser_tty_device_t })
userdom_role_change_template(mytuser, mydbadm)
optional_policy(`
sudo_per_role_template(mytuser,mytuser_t,mytuser_r)
')
[-- Attachment #3: mydbadm.te --]
[-- Type: text/plain, Size: 401 bytes --]
policy_module(mydbadm,1.0.0)
########################################
#
# Declarations
#
userdom_base_user_template(mydbadm)
########################################
#
# mydbadm local policy
#
optional_policy(`
postgresql_admin(mydbadm_t,mydbadm_r, { mydbadm_tty_device_t mydbadm_devpts_t })
')
optional_policy(`
mysql_admin(mydbadm_t,mydbadm_r, { mydbadm_tty_device_t mydbadm_devpts_t })
')
[-- Attachment #4: mysql.if --]
[-- Type: text/plain, Size: 4985 bytes --]
## <summary>Policy for MySQL</summary>
########################################
## <summary>
## Send a generic signal to MySQL.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_signal',`
gen_require(`
type mysqld_t;
')
allow $1 mysqld_t:process signal;
')
########################################
## <summary>
## Connect to MySQL using a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mysql_stream_connect',`
gen_require(`
type mysqld_t, mysqld_var_run_t;
')
stream_connect_pattern($1,mysqld_var_run_t,mysqld_var_run_t,mysqld_t)
')
########################################
## <summary>
## Read MySQL configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mysql_read_config',`
gen_require(`
type mysqld_etc_t;
')
allow $1 mysqld_etc_t:dir { getattr read search };
allow $1 mysqld_etc_t:file { read getattr };
allow $1 mysqld_etc_t:lnk_file { getattr read };
')
########################################
## <summary>
## Search the directories that contain MySQL
## database storage.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: "_dir" in the name is added to clarify that this
# is not searching the database itself.
interface(`mysql_search_db',`
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
')
########################################
## <summary>
## Read and write to the MySQL database directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_rw_db_dirs',`
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir rw_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete MySQL database directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_manage_db_dirs',`
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir manage_dir_perms;
')
########################################
## <summary>
## Read and write to the MySQL database
## named socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_rw_db_sockets',`
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
allow $1 mysqld_db_t:sock_file rw_file_perms;
')
########################################
## <summary>
## Write to the MySQL log.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_write_log',`
gen_require(`
type mysqld_log_t;
')
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
')
########################################
## <summary>
## Execute mysql server in the mysqld domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`mysql_script_domtrans',`
gen_require(`
type mysqld_script_exec_t;
')
init_script_domtrans_spec($1,mysqld_script_exec_t)
')
########################################
## <summary>
## All of the rules required to administrate an mysql environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the mysql domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the mysql domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`mysql_admin',`
gen_require(`
type mysqld_t;
type mysqld_var_run_t;
type mysqld_tmp_t;
type mysqld_db_t;
type mysqld_etc_t;
type mysqld_log_t;
type mysqld_script_exec_t;
')
allow $1 mysqld_t:process { ptrace signal_perms };
# Allow $1 to restart the apache service
mysql_script_domtrans($1)
domain_role_change_exemption($1)
domain_system_change_exemption($1)
domain_obj_id_change_exemption($1)
role_transition $2 mysqld_script_exec_t system_r;
allow $2 system_r;
manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t)
manage_files_pattern($1,mysqld_db_t,mysqld_db_t)
manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t)
manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t)
manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t)
manage_files_pattern($1,mysqld_log_t,mysqld_log_t)
manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
')
[-- Attachment #5: mytuser.te.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]
[-- Attachment #6: mydbadm.te.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]
[-- Attachment #7: mysql.if.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Role Creation Wizard
2007-09-05 20:13 Role Creation Wizard Daniel J Walsh
@ 2007-09-11 17:30 ` Stephen Smalley
2007-09-11 18:15 ` Christopher J. PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2007-09-11 17:30 UTC (permalink / raw)
To: Daniel J Walsh
Cc: SE Linux, Christopher J. PeBenito, Eric Paris, Karl MacMillan
On Wed, 2007-09-05 at 16:13 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have been working on creating a role creation wizard, for policy
> writers to be able to create user types and admin roles.
>
> Working from a base line user (guest_t, xguest_t), You can assign
> transitions to other domains (mozilla, ssh) or to admin roles webadm_t,
> dbadm_t. Most of the work is done.
>
> The admin roles will be able to manipulate there own service. I have
> begun labeling initscripts.
>
> ls -lZ /etc/init.d/httpd
> - -rwxr-xr-x root root system_u:object_r:httpd_script_exec_t:s0
> /etc/init.d/httpd
>
> So a webadm_t will only be able to run /etc/init.d/httpd (Labeled
> httpd_script_exec_t).
>
> I don't want to require the use of run_init. Mainly because this
> requires the entry of the password, (I don't want to give these admin
> roles "rootok". So pam_rootok will not fix this problem. I am also not
> sure if we transition to run_init, we can prevent the admin from
> executing other init scripts.
>
> So in my test environment I have created a terminal user mytuser_u; and
> an admin user mydbadm_t, which can modify postgresql and mysql environments.
>
> # semanage user -l | grep mytuser
> mytuser_u mytuser s0 s0
> mydbadm_r mytuser_r
>
> Then I assign the rwalsh account to it
>
> semanage login -l | grep mytuser
> rwalsh mytuser_u s0
>
> I log in as rwalsh,
> sudo/newrole to mydbadm_t
>
> When I try to start the init script, I fail with the following error.
>
>
> service mysqld restart
> env: /etc/init.d/mysqld: Permission denied
>
>
> This is happening because of the following SELINUX_ERR
>
> grep SELINUX /var/log/audit/audit.log
> type=SELINUX_ERR msg=audit(1189021260.698:974): security_compute_sid:
> invalid context mytuser_u:system_r:initrc_t:s0 for
> scontext=mytuser_u:mydbadm_r:mydbadm_t:s0
> tcontext=system_u:object_r:mysqld_script_exec_t:s0 tclass=process
>
> Which indicates system_r is not available to mytuser_u.
>
> So in order to get this to work, I will have to add system_r to every
> admin user. Which seems to me to be a potential risk.
>
> We have role_transition and type_transition but no user_transition.
>
> Any ideas on better way to handle this, or is my only choice run_init,
> or system_r for the admin user.
The approach in Hardened Gentoo was to integrate run_init-like
functionality into the init system, IIRC, but omitting the
re-authentication stage (which isn't security-critical).
Adding user_transition support to the policy compiler and kernel would
be a useful feature though. And I don't believe the 'wait for
policyrep' mantra - if it matters, we should just do it now.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Role Creation Wizard
2007-09-11 17:30 ` Stephen Smalley
@ 2007-09-11 18:15 ` Christopher J. PeBenito
0 siblings, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2007-09-11 18:15 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Daniel J Walsh, SE Linux, Eric Paris, Karl MacMillan
On Tue, 2007-09-11 at 13:30 -0400, Stephen Smalley wrote:
> On Wed, 2007-09-05 at 16:13 -0400, Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I have been working on creating a role creation wizard, for policy
> > writers to be able to create user types and admin roles.
> >
> > Working from a base line user (guest_t, xguest_t), You can assign
> > transitions to other domains (mozilla, ssh) or to admin roles webadm_t,
> > dbadm_t. Most of the work is done.
> >
> > The admin roles will be able to manipulate there own service. I have
> > begun labeling initscripts.
> >
> > ls -lZ /etc/init.d/httpd
> > - -rwxr-xr-x root root system_u:object_r:httpd_script_exec_t:s0
> > /etc/init.d/httpd
> >
> > So a webadm_t will only be able to run /etc/init.d/httpd (Labeled
> > httpd_script_exec_t).
> >
> > I don't want to require the use of run_init. Mainly because this
> > requires the entry of the password, (I don't want to give these admin
> > roles "rootok". So pam_rootok will not fix this problem. I am also not
> > sure if we transition to run_init, we can prevent the admin from
> > executing other init scripts.
> >
> > So in my test environment I have created a terminal user mytuser_u; and
> > an admin user mydbadm_t, which can modify postgresql and mysql environments.
> >
> > # semanage user -l | grep mytuser
> > mytuser_u mytuser s0 s0
> > mydbadm_r mytuser_r
> >
> > Then I assign the rwalsh account to it
> >
> > semanage login -l | grep mytuser
> > rwalsh mytuser_u s0
> >
> > I log in as rwalsh,
> > sudo/newrole to mydbadm_t
> >
> > When I try to start the init script, I fail with the following error.
> >
> >
> > service mysqld restart
> > env: /etc/init.d/mysqld: Permission denied
> >
> >
> > This is happening because of the following SELINUX_ERR
> >
> > grep SELINUX /var/log/audit/audit.log
> > type=SELINUX_ERR msg=audit(1189021260.698:974): security_compute_sid:
> > invalid context mytuser_u:system_r:initrc_t:s0 for
> > scontext=mytuser_u:mydbadm_r:mydbadm_t:s0
> > tcontext=system_u:object_r:mysqld_script_exec_t:s0 tclass=process
> >
> > Which indicates system_r is not available to mytuser_u.
> >
> > So in order to get this to work, I will have to add system_r to every
> > admin user. Which seems to me to be a potential risk.
> >
> > We have role_transition and type_transition but no user_transition.
> >
> > Any ideas on better way to handle this, or is my only choice run_init,
> > or system_r for the admin user.
>
> The approach in Hardened Gentoo was to integrate run_init-like
> functionality into the init system, IIRC, but omitting the
> re-authentication stage (which isn't security-critical).
Its integrated, but it still authenticates per the pam.d run_init entry.
So if the user doesn't want it to authenticate, they can just use
pam_permit.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-09-11 18:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-09-05 20:13 Role Creation Wizard Daniel J Walsh
2007-09-11 17:30 ` Stephen Smalley
2007-09-11 18:15 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.