secadm/sysadm discussion - Daniel J Walsh

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Jeremiah Jahn <jeremiah@goodinassociates.com>
Cc: "Christopher J. PeBenito" <cpebenito@tresys.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Paul Moore <paul.moore@hp.com>, selinux <selinux@tycho.nsa.gov>
Subject: secadm/sysadm discussion
Date: Fri, 15 Feb 2008 16:22:13 -0500	[thread overview]
Message-ID: <47B60285.9010801@redhat.com> (raw)
In-Reply-To: <1203093415.3669.258.camel@bluejay.goodinassociates.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<rant>

Personally I think sysadm_t is a waste of time.  It is a poor mans
unconfined_t and should be eliminated from the face of the earth.  All
it does is generate Bugs and avc messages without supplying any real
security.  It makes no sense, as a confinement of a root user since it
is so easily gotten around.  If you have an administrator of a machine,
that you want to confine, start with only allowing him the privs that
are required to do his job.  You can't start by saying he can do
everything except ABC.

If your goal is the admin can not modify the SELinux security policy and
you don't trust the admin, you loose.  The admin can use fsadm tools, he
can use rpm, he can bring the machine to single user mode he can modify
init.

You need to define what the confined admin is allowed to manage
Apache/postgrsql/mysql and then define rules and a domain for an
administrator to do that.

Fedora 9 will have the ability to easily design an confined admin role.
 I have added NAME_admin interfaces to every confined service domain,
and system-config-selinux/polgengui now has the ability to select the
NAME_admin domains that you want to administer.  I believe this is the
way to confine a root user.  You can than setup a confined login user
staff_t or guest_t and define transitions from this domain to the admin
domain.  sudo can now be used to handle the transition.

I think we will find lots of bugs in this method, but we need people to
experiment with it.  I think we will also find security vulnerabilities
which we will need to fix in the kernel.  (chmod 4755 shell) for example.

</rant>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke2AncACgkQrlYvE4MpobN2zgCfTs1WPmpgUm5m8wo50Vwcpb9J
jy0AnAibTphoR0N2DgUG45cv3HIfkqZV
=xBer
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2008-02-15 21:22 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-14 23:09 secadm question Jeremiah Jahn
2008-02-15 13:55 ` Paul Moore
2008-02-15 15:09   ` Jeremiah Jahn
2008-02-15 15:16     ` Stephen Smalley
2008-02-15 15:39       ` Christopher J. PeBenito
2008-02-15 16:09         ` Jeremiah Jahn
2008-02-15 16:09           ` Christopher J. PeBenito
2008-02-15 16:14             ` Jeremiah Jahn
2008-02-15 16:23               ` Christopher J. PeBenito
2008-02-15 16:36                 ` Jeremiah Jahn
2008-02-15 18:40                   ` Christopher J. PeBenito
2008-02-15 21:21                   ` secadm/sysadm discussion Daniel J Walsh
2008-02-15 21:22                   ` Daniel J Walsh [this message]
2008-02-17 11:17                     ` Russell Coker
2008-02-18 13:37                     ` Christopher J. PeBenito
2008-02-18 17:01                       ` Chad Hanson
2008-02-19 14:48                       ` Daniel J Walsh
2008-02-22 14:39                         ` Jeremiah Jahn
2008-02-15 15:18     ` secadm question Paul Moore
2008-02-15 15:27       ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47B60285.9010801@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=cpebenito@tresys.com \
    --cc=jeremiah@goodinassociates.com \
    --cc=paul.moore@hp.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.