All of lore.kernel.org
 help / color / mirror / Atom feed
* Role Creation Wizard
@ 2007-09-05 20:13 Daniel J Walsh
  2007-09-11 17:30 ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2007-09-05 20:13 UTC (permalink / raw)
  To: Stephen Smalley, SE Linux

[-- Attachment #1: Type: text/plain, Size: 2546 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have been working on creating a role creation wizard, for policy
writers to be able to create user types and admin roles.

Working from a base line user (guest_t, xguest_t),  You can assign
transitions to other domains (mozilla, ssh) or to admin roles webadm_t,
dbadm_t.  Most of the work is done.

The admin roles will be able to manipulate there own service.  I have
begun labeling initscripts.

ls -lZ /etc/init.d/httpd
- -rwxr-xr-x  root root system_u:object_r:httpd_script_exec_t:s0
/etc/init.d/httpd

So a webadm_t will only be able to run /etc/init.d/httpd (Labeled
httpd_script_exec_t).

I don't want to require the use of run_init.  Mainly because this
requires the entry of the password,  (I don't want to give these admin
roles "rootok".  So pam_rootok will not fix this problem.  I am also not
sure if we transition to run_init, we can prevent the admin from
executing other init scripts.

So in my test environment I have created a terminal user mytuser_u;  and
an admin user mydbadm_t, which can modify postgresql and mysql environments.

# semanage user -l | grep mytuser
mytuser_u       mytuser    s0         s0
mydbadm_r mytuser_r

Then I assign the rwalsh account to it

semanage login -l | grep mytuser
rwalsh                    mytuser_u                 s0

I log in as rwalsh,
sudo/newrole to mydbadm_t

When I try to start the init script, I fail with the following error.


service mysqld restart
env: /etc/init.d/mysqld: Permission denied


This is happening because of the following SELINUX_ERR

grep SELINUX /var/log/audit/audit.log
type=SELINUX_ERR msg=audit(1189021260.698:974): security_compute_sid:
invalid context mytuser_u:system_r:initrc_t:s0 for
scontext=mytuser_u:mydbadm_r:mydbadm_t:s0
tcontext=system_u:object_r:mysqld_script_exec_t:s0 tclass=process

Which indicates system_r is not available to mytuser_u.

So in order to get this to work,  I will have to add system_r to every
admin user.  Which seems to me to be a potential risk.

We have role_transition and type_transition but no user_transition.

Any ideas on better way to handle this, or is my only choice run_init,
or system_r for the admin user.




Attaching my generated policy along with mysql.if (Important part is the
mysql_admin interface.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG3w3UrlYvE4MpobMRAsLAAJ9gsOO4oiWKiCjWVsbtCigzCii++gCfRVi3
GH3cWZ/aaClg1xsZs9VuSnQ=
=QWyQ
-----END PGP SIGNATURE-----

[-- Attachment #2: mytuser.te --]
[-- Type: text/plain, Size: 402 bytes --]

policy_module(mytuser,1.0.0)

########################################
#
# Declarations
#

userdom_unpriv_login_user(mytuser)

########################################
#
# mytuser local policy
#


seutil_run_newrole(mytuser_t,mytuser_r,{ mytuser_devpts_t mytuser_tty_device_t })

userdom_role_change_template(mytuser, mydbadm)

optional_policy(`
	sudo_per_role_template(mytuser,mytuser_t,mytuser_r)
')

[-- Attachment #3: mydbadm.te --]
[-- Type: text/plain, Size: 401 bytes --]


policy_module(mydbadm,1.0.0)

########################################
#
# Declarations
#

userdom_base_user_template(mydbadm)

########################################
#
# mydbadm local policy
#


optional_policy(`
	postgresql_admin(mydbadm_t,mydbadm_r, { mydbadm_tty_device_t mydbadm_devpts_t })
')

optional_policy(`
	mysql_admin(mydbadm_t,mydbadm_r, { mydbadm_tty_device_t mydbadm_devpts_t })
')

[-- Attachment #4: mysql.if --]
[-- Type: text/plain, Size: 4985 bytes --]

## <summary>Policy for MySQL</summary>

########################################
## <summary>
##	Send a generic signal to MySQL.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_signal',`
	gen_require(`
		type mysqld_t;
	')

	allow $1 mysqld_t:process signal;
')

########################################
## <summary>
##	Connect to MySQL using a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mysql_stream_connect',`
	gen_require(`
		type mysqld_t, mysqld_var_run_t;
	')

	stream_connect_pattern($1,mysqld_var_run_t,mysqld_var_run_t,mysqld_t)
')

########################################
## <summary>
##	Read MySQL configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mysql_read_config',`
	gen_require(`
		type mysqld_etc_t;
	')

	allow $1 mysqld_etc_t:dir { getattr read search };
	allow $1 mysqld_etc_t:file { read getattr };
	allow $1 mysqld_etc_t:lnk_file { getattr read };
')

########################################
## <summary>
##	Search the directories that contain MySQL
##	database storage.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
# cjp: "_dir" in the name is added to clarify that this
# is not searching the database itself.
interface(`mysql_search_db',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir search;
')

########################################
## <summary>
##	Read and write to the MySQL database directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_rw_db_dirs',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir rw_dir_perms;
')

########################################
## <summary>
##	Create, read, write, and delete MySQL database directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_manage_db_dirs',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir manage_dir_perms;
')

########################################
## <summary>
##	Read and write to the MySQL database
##	named socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_rw_db_sockets',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir search;
	allow $1 mysqld_db_t:sock_file rw_file_perms;
')

########################################
## <summary>
##	Write to the MySQL log.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_write_log',`
	gen_require(`
		type mysqld_log_t;
	')

	logging_search_logs($1)
	allow $1 mysqld_log_t:file { write append setattr ioctl };
')

########################################
## <summary>
##	Execute mysql server in the mysqld domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`mysql_script_domtrans',`
	gen_require(`
		type mysqld_script_exec_t;
	')

	init_script_domtrans_spec($1,mysqld_script_exec_t)
')

########################################
## <summary>
##	All of the rules required to administrate an mysql environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the mysql domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the mysql domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mysql_admin',`

	gen_require(`
		type mysqld_t;
		type mysqld_var_run_t;
		type mysqld_tmp_t; 
		type mysqld_db_t;
		type mysqld_etc_t;
		type mysqld_log_t;
		type mysqld_script_exec_t;
	')

	allow $1 mysqld_t:process { ptrace signal_perms };
	
	# Allow $1 to restart the apache service
	mysql_script_domtrans($1)
	domain_role_change_exemption($1)
	domain_system_change_exemption($1)
	domain_obj_id_change_exemption($1)
	role_transition $2 mysqld_script_exec_t system_r;
	allow $2 system_r;

	manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
	manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t)

	manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t)
	manage_files_pattern($1,mysqld_db_t,mysqld_db_t)

	manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t)
	manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t)

	manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t)
	manage_files_pattern($1,mysqld_log_t,mysqld_log_t)

	manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
	manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
')

[-- Attachment #5: mytuser.te.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]

[-- Attachment #6: mydbadm.te.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]

[-- Attachment #7: mysql.if.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-09-11 18:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-09-05 20:13 Role Creation Wizard Daniel J Walsh
2007-09-11 17:30 ` Stephen Smalley
2007-09-11 18:15   ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.