Re: using roles with mls policy

[Andy Warner <warner@rubix.com>]

[-- Attachment #1: Type: text/plain, Size: 5091 bytes --]



Andy Warner wrote:
>
>
> Justin Mattock wrote:
>> On Wed, Nov 5, 2008 at 7:33 AM, Andy Warner <warner@rubix.com> wrote:
>>   
>>> I am using Fedora 9 with the MLS policy. I have been using it in permissive
>>> mode for a while (integrating SELinux with a DBMS and its objects) and now
>>> must do some work/testing in enforcing mode. As soon as I switch to
>>> enforcing mode I seem unable to perform any action which requires privilege.
>>>
>>> What is the anticipated method to shutdown/reboot the system and to toggle
>>> the enforcing mode while in MLS/Enforcing? What I assumed was to transition
>>> to an appropriate role (sysadm_r and secadm_r respectively) and then issue
>>> the corresponding command (shutdown and setenforce). This fails and I
>>> believe my difficulty is that in both cases I need to also be the linux root
>>> user. There does not seem to be an obvious way to execute a command as the
>>> lunux root user as neither su nor sudo seem available while in the sysadm_r
>>> and secadm_r roles. Executing something like seaudit while in the auditadm_r
>>> role fails to allow me to authenticate as root. Despite being the correct
>>> password it continuously loops asking for the password.
>>>
>>> As a related but less important question, in general, is it intended that a
>>> user initially have the staff_r role upon login and then transition to a
>>> more trusted role (i.e., secadm_r) using the newrole command? (as opposed to
>>> having the secadm_r upon login.
>>>
>>> Thanks for any help,
>>>
>>> Andy
>>>
>>>
>>>
>>>     
>>
>> Not sure how red hat works,
>> but for me using ubuntu having to change roles
>> I first needed to collect all of the allow rules, i.g.
>> allow newrole_t staff_t:process  etc...
>> then after after a reboot into enforce mode
>> using newrole -r works fine.(just haven't defined secadm_r yet).
>> As for toggling from enforce to permissive
>> using setenforce 0 or 1
>> or echo 0/1 > /selinux/enforce.
>>
>>
>>   
> I have no problem changing to a role while in enforcing mode, the 
> problem is in performing the command. Here is what is happening (the 
> following was executed while in enforcing mode):
>
> [staff@oak ~]$ id -Z
> staff_u:staff_r:staff_t:SystemLow:SystemLow-SystemHigh
> [staff@oak ~]$ newrole -r secadm_r
> Password:
> [staff@oak ~]$ id -Z
> staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
> [staff@oak ~]$ ls -l /selinux/enforce
> -rw-r--r-- 1 root root 0 2008-11-05 17:08 /selinux/enforce
> [staff@oak ~]$ /usr/sbin/setenforce 1
> /usr/sbin/setenforce:  setenforce() failed
> [staff@oak ~]$ sudo /usr/sbin/setenforce 1
> sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
> [staff@oak ~]$ id
> uid=503(staff) gid=500(user) groups=500(user)
> context=staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
> [staff@oak ~]$
>
> As can be seen I can transition to the secadm_r without an issue. And, 
> from the DAC modes of /selinux/enforce I would guess it requires linux 
> root to be written. Also, I thought I read elsewhere that the secadm_r 
> was configured so that it could not perform an su/sudo. Likewise, if I 
> try to execute system-config-selinux as the secadm_r role, I am not 
> permitted to authenticate as linux root user so I am not able to do 
> anything. If selinux is in permissive mode everything works, as long 
> as I su/sudo to root first. I have similar issues with the auditadm_r 
> role.
>
> As for my previously mentioned issue with using sysadm_r to issue a 
> shutdown command while in enforcing mode, I was mistaken and this is 
> possible using sudo (not sure what I was thinking). It seems no MLS 
> roles can use su, only staff_r and sysadm_r may use sudo. auditadm_r 
> and secadm_r cannot use either and seem powerless without it. I am 
> also unable to directly log in as root when in enforcing mode.
>
> Note that I am using the roles as they are configured in the MLS 
> policy. If it is required to change or configure the roles to make 
> them able do what it seems like they should be able to do, thats ok, 
> but first I need to make sure I'm not just being boneheaded and using 
> them in the wrong way or have bad expectations of what they should be 
> able to do.

Sorry to answer my own email, but just to button this up. I could not 
log into my root account because of a conflict between the staff_t 
(login process type) and the admin_home_t (root's home dir file type). 
Any attempt to start a session for root during enforcing mode would die 
as it could not access root's home directory. I am not exactly sure why 
policy is this way, if I did something or the mls policy is that way by 
default. So, I had to find another way to have linux root and 
secadm_r/auditadm_r at the same time. The su and sudo commands are not 
available from those roles. So, from the staff_r I had to start a shell 
using sudo as:
sudo -s -r secadm_r

This gave me a shell with the linux root user and the secadm_r role and 
I was able to run things like system-config-selinux and setenforce 
during enforcing mode. Same applies to auditadm_r. role.

[-- Attachment #2: Type: text/html, Size: 5712 bytes --]