using roles with mls policy

using roles with mls policy

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 1334 bytes --]

I am using Fedora 9 with the MLS policy. I have been using it in 
permissive mode for a while (integrating SELinux with a DBMS and its 
objects) and now must do some work/testing in enforcing mode. As soon as 
I switch to enforcing mode I seem unable to perform any action which 
requires privilege.

What is the anticipated method to shutdown/reboot the system and to 
toggle the enforcing mode while in MLS/Enforcing? What I assumed was to 
transition to an appropriate role (sysadm_r and secadm_r respectively) 
and then issue the corresponding command (shutdown and setenforce). This 
fails and I believe my difficulty is that in both cases I need to also 
be the linux root user. There does not seem to be an obvious way to 
execute a command as the lunux root user as neither su nor sudo seem 
available while in the sysadm_r and secadm_r roles. Executing something 
like seaudit while in the auditadm_r role fails to allow me to 
authenticate as root. Despite being the correct password it continuously 
loops asking for the password.

As a related but less important question, in general, is it intended 
that a user initially have the staff_r role upon login and then 
transition to a more trusted role (i.e., secadm_r) using the newrole 
command? (as opposed to having the secadm_r upon login.

Thanks for any help,

Andy



[-- Attachment #2: Type: text/html, Size: 1532 bytes --]

Re: using roles with mls policy

[Justin Mattock]

On Wed, Nov 5, 2008 at 7:33 AM, Andy Warner <warner@rubix.com> wrote:
> I am using Fedora 9 with the MLS policy. I have been using it in permissive
> mode for a while (integrating SELinux with a DBMS and its objects) and now
> must do some work/testing in enforcing mode. As soon as I switch to
> enforcing mode I seem unable to perform any action which requires privilege.
>
> What is the anticipated method to shutdown/reboot the system and to toggle
> the enforcing mode while in MLS/Enforcing? What I assumed was to transition
> to an appropriate role (sysadm_r and secadm_r respectively) and then issue
> the corresponding command (shutdown and setenforce). This fails and I
> believe my difficulty is that in both cases I need to also be the linux root
> user. There does not seem to be an obvious way to execute a command as the
> lunux root user as neither su nor sudo seem available while in the sysadm_r
> and secadm_r roles. Executing something like seaudit while in the auditadm_r
> role fails to allow me to authenticate as root. Despite being the correct
> password it continuously loops asking for the password.
>
> As a related but less important question, in general, is it intended that a
> user initially have the staff_r role upon login and then transition to a
> more trusted role (i.e., secadm_r) using the newrole command? (as opposed to
> having the secadm_r upon login.
>
> Thanks for any help,
>
> Andy
>
>
>

Not sure how red hat works,
but for me using ubuntu having to change roles
I first needed to collect all of the allow rules, i.g.
allow newrole_t staff_t:process  etc...
then after after a reboot into enforce mode
using newrole -r works fine.(just haven't defined secadm_r yet).
As for toggling from enforce to permissive
using setenforce 0 or 1
or echo 0/1 > /selinux/enforce.


-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: using roles with mls policy

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 4064 bytes --]



Justin Mattock wrote:
> On Wed, Nov 5, 2008 at 7:33 AM, Andy Warner <warner@rubix.com> wrote:
>   
>> I am using Fedora 9 with the MLS policy. I have been using it in permissive
>> mode for a while (integrating SELinux with a DBMS and its objects) and now
>> must do some work/testing in enforcing mode. As soon as I switch to
>> enforcing mode I seem unable to perform any action which requires privilege.
>>
>> What is the anticipated method to shutdown/reboot the system and to toggle
>> the enforcing mode while in MLS/Enforcing? What I assumed was to transition
>> to an appropriate role (sysadm_r and secadm_r respectively) and then issue
>> the corresponding command (shutdown and setenforce). This fails and I
>> believe my difficulty is that in both cases I need to also be the linux root
>> user. There does not seem to be an obvious way to execute a command as the
>> lunux root user as neither su nor sudo seem available while in the sysadm_r
>> and secadm_r roles. Executing something like seaudit while in the auditadm_r
>> role fails to allow me to authenticate as root. Despite being the correct
>> password it continuously loops asking for the password.
>>
>> As a related but less important question, in general, is it intended that a
>> user initially have the staff_r role upon login and then transition to a
>> more trusted role (i.e., secadm_r) using the newrole command? (as opposed to
>> having the secadm_r upon login.
>>
>> Thanks for any help,
>>
>> Andy
>>
>>
>>
>>     
>
> Not sure how red hat works,
> but for me using ubuntu having to change roles
> I first needed to collect all of the allow rules, i.g.
> allow newrole_t staff_t:process  etc...
> then after after a reboot into enforce mode
> using newrole -r works fine.(just haven't defined secadm_r yet).
> As for toggling from enforce to permissive
> using setenforce 0 or 1
> or echo 0/1 > /selinux/enforce.
>
>
>   
I have no problem changing to a role while in enforcing mode, the 
problem is in performing the command. Here is what is happening (the 
following was executed while in enforcing mode):

[staff@oak ~]$ id -Z
staff_u:staff_r:staff_t:SystemLow:SystemLow-SystemHigh
[staff@oak ~]$ newrole -r secadm_r
Password:
[staff@oak ~]$ id -Z
staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
[staff@oak ~]$ ls -l /selinux/enforce
-rw-r--r-- 1 root root 0 2008-11-05 17:08 /selinux/enforce
[staff@oak ~]$ /usr/sbin/setenforce 1
/usr/sbin/setenforce:  setenforce() failed
[staff@oak ~]$ sudo /usr/sbin/setenforce 1
sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
[staff@oak ~]$ id
uid=503(staff) gid=500(user) groups=500(user)
context=staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
[staff@oak ~]$

As can be seen I can transition to the secadm_r without an issue. And, 
from the DAC modes of /selinux/enforce I would guess it requires linux 
root to be written. Also, I thought I read elsewhere that the secadm_r 
was configured so that it could not perform an su/sudo. Likewise, if I 
try to execute system-config-selinux as the secadm_r role, I am not 
permitted to authenticate as linux root user so I am not able to do 
anything. If selinux is in permissive mode everything works, as long as 
I su/sudo to root first. I have similar issues with the auditadm_r role.

As for my previously mentioned issue with using sysadm_r to issue a 
shutdown command while in enforcing mode, I was mistaken and this is 
possible using sudo (not sure what I was thinking). It seems no MLS 
roles can use su, only staff_r and sysadm_r may use sudo. auditadm_r and 
secadm_r cannot use either and seem powerless without it. I am also 
unable to directly log in as root when in enforcing mode.

Note that I am using the roles as they are configured in the MLS policy. 
If it is required to change or configure the roles to make them able do 
what it seems like they should be able to do, thats ok, but first I need 
to make sure I'm not just being boneheaded and using them in the wrong 
way or have bad expectations of what they should be able to do.

[-- Attachment #2: Type: text/html, Size: 4573 bytes --]

Re: using roles with mls policy

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 5091 bytes --]



Andy Warner wrote:
>
>
> Justin Mattock wrote:
>> On Wed, Nov 5, 2008 at 7:33 AM, Andy Warner <warner@rubix.com> wrote:
>>   
>>> I am using Fedora 9 with the MLS policy. I have been using it in permissive
>>> mode for a while (integrating SELinux with a DBMS and its objects) and now
>>> must do some work/testing in enforcing mode. As soon as I switch to
>>> enforcing mode I seem unable to perform any action which requires privilege.
>>>
>>> What is the anticipated method to shutdown/reboot the system and to toggle
>>> the enforcing mode while in MLS/Enforcing? What I assumed was to transition
>>> to an appropriate role (sysadm_r and secadm_r respectively) and then issue
>>> the corresponding command (shutdown and setenforce). This fails and I
>>> believe my difficulty is that in both cases I need to also be the linux root
>>> user. There does not seem to be an obvious way to execute a command as the
>>> lunux root user as neither su nor sudo seem available while in the sysadm_r
>>> and secadm_r roles. Executing something like seaudit while in the auditadm_r
>>> role fails to allow me to authenticate as root. Despite being the correct
>>> password it continuously loops asking for the password.
>>>
>>> As a related but less important question, in general, is it intended that a
>>> user initially have the staff_r role upon login and then transition to a
>>> more trusted role (i.e., secadm_r) using the newrole command? (as opposed to
>>> having the secadm_r upon login.
>>>
>>> Thanks for any help,
>>>
>>> Andy
>>>
>>>
>>>
>>>     
>>
>> Not sure how red hat works,
>> but for me using ubuntu having to change roles
>> I first needed to collect all of the allow rules, i.g.
>> allow newrole_t staff_t:process  etc...
>> then after after a reboot into enforce mode
>> using newrole -r works fine.(just haven't defined secadm_r yet).
>> As for toggling from enforce to permissive
>> using setenforce 0 or 1
>> or echo 0/1 > /selinux/enforce.
>>
>>
>>   
> I have no problem changing to a role while in enforcing mode, the 
> problem is in performing the command. Here is what is happening (the 
> following was executed while in enforcing mode):
>
> [staff@oak ~]$ id -Z
> staff_u:staff_r:staff_t:SystemLow:SystemLow-SystemHigh
> [staff@oak ~]$ newrole -r secadm_r
> Password:
> [staff@oak ~]$ id -Z
> staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
> [staff@oak ~]$ ls -l /selinux/enforce
> -rw-r--r-- 1 root root 0 2008-11-05 17:08 /selinux/enforce
> [staff@oak ~]$ /usr/sbin/setenforce 1
> /usr/sbin/setenforce:  setenforce() failed
> [staff@oak ~]$ sudo /usr/sbin/setenforce 1
> sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
> [staff@oak ~]$ id
> uid=503(staff) gid=500(user) groups=500(user)
> context=staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
> [staff@oak ~]$
>
> As can be seen I can transition to the secadm_r without an issue. And, 
> from the DAC modes of /selinux/enforce I would guess it requires linux 
> root to be written. Also, I thought I read elsewhere that the secadm_r 
> was configured so that it could not perform an su/sudo. Likewise, if I 
> try to execute system-config-selinux as the secadm_r role, I am not 
> permitted to authenticate as linux root user so I am not able to do 
> anything. If selinux is in permissive mode everything works, as long 
> as I su/sudo to root first. I have similar issues with the auditadm_r 
> role.
>
> As for my previously mentioned issue with using sysadm_r to issue a 
> shutdown command while in enforcing mode, I was mistaken and this is 
> possible using sudo (not sure what I was thinking). It seems no MLS 
> roles can use su, only staff_r and sysadm_r may use sudo. auditadm_r 
> and secadm_r cannot use either and seem powerless without it. I am 
> also unable to directly log in as root when in enforcing mode.
>
> Note that I am using the roles as they are configured in the MLS 
> policy. If it is required to change or configure the roles to make 
> them able do what it seems like they should be able to do, thats ok, 
> but first I need to make sure I'm not just being boneheaded and using 
> them in the wrong way or have bad expectations of what they should be 
> able to do.

Sorry to answer my own email, but just to button this up. I could not 
log into my root account because of a conflict between the staff_t 
(login process type) and the admin_home_t (root's home dir file type). 
Any attempt to start a session for root during enforcing mode would die 
as it could not access root's home directory. I am not exactly sure why 
policy is this way, if I did something or the mls policy is that way by 
default. So, I had to find another way to have linux root and 
secadm_r/auditadm_r at the same time. The su and sudo commands are not 
available from those roles. So, from the staff_r I had to start a shell 
using sudo as:
sudo -s -r secadm_r

This gave me a shell with the linux root user and the secadm_r role and 
I was able to run things like system-config-selinux and setenforce 
during enforcing mode. Same applies to auditadm_r. role.

[-- Attachment #2: Type: text/html, Size: 5712 bytes --]

Re: using roles with mls policy

[Justin P. Mattock]

[-- Attachment #1: Type: text/plain, Size: 5778 bytes --]

Not sure about auditadm_r and
Secadm_r, from what I remember
To access those roles you need to
Be sysadm_r(but could be wrong);
As for setting you initial context as
User_r and then making the transition to syadm_r, don't think you  
can(or at least I haven't been able to do so);
You would have to use a boot param
To use permissive

justin P. Mattock



On Nov 5, 2008, at 10:22 AM, Andy Warner <warner@rubix.com> wrote:

>
>
> Andy Warner wrote:
>>
>>
>>
>> Justin Mattock wrote:
>>>
>>> On Wed, Nov 5, 2008 at 7:33 AM, Andy Warner <warner@rubix.com>  
>>> wrote:
>>>
>>>> I am using Fedora 9 with the MLS policy. I have been using it in  
>>>> permissive
>>>> mode for a while (integrating SELinux with a DBMS and its  
>>>> objects) and now
>>>> must do some work/testing in enforcing mode. As soon as I switch to
>>>> enforcing mode I seem unable to perform any action which requires  
>>>> privilege.
>>>>
>>>> What is the anticipated method to shutdown/reboot the system and  
>>>> to toggle
>>>> the enforcing mode while in MLS/Enforcing? What I assumed was to  
>>>> transition
>>>> to an appropriate role (sysadm_r and secadm_r respectively) and  
>>>> then issue
>>>> the corresponding command (shutdown and setenforce). This fails  
>>>> and I
>>>> believe my difficulty is that in both cases I need to also be the  
>>>> linux root
>>>> user. There does not seem to be an obvious way to execute a  
>>>> command as the
>>>> lunux root user as neither su nor sudo seem available while in  
>>>> the sysadm_r
>>>> and secadm_r roles. Executing something like seaudit while in the  
>>>> auditadm_r
>>>> role fails to allow me to authenticate as root. Despite being the  
>>>> correct
>>>> password it continuously loops asking for the password.
>>>>
>>>> As a related but less important question, in general, is it  
>>>> intended that a
>>>> user initially have the staff_r role upon login and then  
>>>> transition to a
>>>> more trusted role (i.e., secadm_r) using the newrole command? (as  
>>>> opposed to
>>>> having the secadm_r upon login.
>>>>
>>>> Thanks for any help,
>>>>
>>>> Andy
>>>>
>>>>
>>>>
>>>>
>>> Not sure how red hat works,
>>> but for me using ubuntu having to change roles
>>> I first needed to collect all of the allow rules, i.g.
>>> allow newrole_t staff_t:process  etc...
>>> then after after a reboot into enforce mode
>>> using newrole -r works fine.(just haven't defined secadm_r yet).
>>> As for toggling from enforce to permissive
>>> using setenforce 0 or 1
>>> or echo 0/1 > /selinux/enforce.
>>>
>>>
>>>
>> I have no problem changing to a role while in enforcing mode, the  
>> problem is in performing the command. Here is what is happening  
>> (the following was executed while in enforcing mode):
>>
>> [staff@oak ~]$ id -Z
>> staff_u:staff_r:staff_t:SystemLow:SystemLow-SystemHigh
>> [staff@oak ~]$ newrole -r secadm_r
>> Password:
>> [staff@oak ~]$ id -Z
>> staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>> [staff@oak ~]$ ls -l /selinux/enforce
>> -rw-r--r-- 1 root root 0 2008-11-05 17:08 /selinux/enforce
>> [staff@oak ~]$ /usr/sbin/setenforce 1
>> /usr/sbin/setenforce:  setenforce() failed
>> [staff@oak ~]$ sudo /usr/sbin/setenforce 1
>> sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
>> [staff@oak ~]$ id
>> uid=503(staff) gid=500(user) groups=500(user)
>> context=staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>> [staff@oak ~]$
>>
>> As can be seen I can transition to the secadm_r without an issue.  
>> And, from the DAC modes of /selinux/enforce I would guess it  
>> requires linux root to be written. Also, I thought I read elsewhere  
>> that the secadm_r was configured so that it could not perform an su/ 
>> sudo. Likewise, if I try to execute system-config-selinux as the  
>> secadm_r role, I am not permitted to authenticate as linux root  
>> user so I am not able to do anything. If selinux is in permissive  
>> mode everything works, as long as I su/sudo to root first. I have  
>> similar issues with the auditadm_r role.
>>
>> As for my previously mentioned issue with using sysadm_r to issue a  
>> shutdown command while in enforcing mode, I was mistaken and this  
>> is possible using sudo (not sure what I was thinking). It seems no  
>> MLS roles can use su, only staff_r and sysadm_r may use sudo.  
>> auditadm_r and secadm_r cannot use either and seem powerless  
>> without it. I am also unable to directly log in as root when in  
>> enforcing mode.
>>
>> Note that I am using the roles as they are configured in the MLS  
>> policy. If it is required to change or configure the roles to make  
>> them able do what it seems like they should be able to do, thats  
>> ok, but first I need to make sure I'm not just being boneheaded and  
>> using them in the wrong way or have bad expectations of what they  
>> should be able to do.
>
> Sorry to answer my own email, but just to button this up. I could  
> not log into my root account because of a conflict between the  
> staff_t (login process type) and the admin_home_t (root's home dir  
> file type). Any attempt to start a session for root during enforcing  
> mode would die as it could not access root's home directory. I am  
> not exactly sure why policy is this way, if I did something or the  
> mls policy is that way by default. So, I had to find another way to  
> have linux root and secadm_r/auditadm_r at the same time. The su and  
> sudo commands are not available from those roles. So, from the  
> staff_r I had to start a shell using sudo as:
> sudo -s -r secadm_r
>
> This gave me a shell with the linux root user and the secadm_r role  
> and I was able to run things like system-config-selinux and  
> setenforce during enforcing mode. Same applies to auditadm_r. role.

[-- Attachment #2: Type: text/html, Size: 6163 bytes --]

Re: using roles with mls policy

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andy Warner wrote:
> 
> 
> Andy Warner wrote:
>>
>>
>> Justin Mattock wrote:
>>> On Wed, Nov 5, 2008 at 7:33 AM, Andy Warner <warner@rubix.com> wrote:
>>>  
>>>> I am using Fedora 9 with the MLS policy. I have been using it in
>>>> permissive
>>>> mode for a while (integrating SELinux with a DBMS and its objects)
>>>> and now
>>>> must do some work/testing in enforcing mode. As soon as I switch to
>>>> enforcing mode I seem unable to perform any action which requires
>>>> privilege.
>>>>
>>>> What is the anticipated method to shutdown/reboot the system and to
>>>> toggle
>>>> the enforcing mode while in MLS/Enforcing? What I assumed was to
>>>> transition
>>>> to an appropriate role (sysadm_r and secadm_r respectively) and then
>>>> issue
>>>> the corresponding command (shutdown and setenforce). This fails and I
>>>> believe my difficulty is that in both cases I need to also be the
>>>> linux root
>>>> user. There does not seem to be an obvious way to execute a command
>>>> as the
>>>> lunux root user as neither su nor sudo seem available while in the
>>>> sysadm_r
>>>> and secadm_r roles. Executing something like seaudit while in the
>>>> auditadm_r
>>>> role fails to allow me to authenticate as root. Despite being the
>>>> correct
>>>> password it continuously loops asking for the password.
>>>>
>>>> As a related but less important question, in general, is it intended
>>>> that a
>>>> user initially have the staff_r role upon login and then transition
>>>> to a
>>>> more trusted role (i.e., secadm_r) using the newrole command? (as
>>>> opposed to
>>>> having the secadm_r upon login.
>>>>
>>>> Thanks for any help,
>>>>
>>>> Andy
>>>>
>>>>
>>>>
>>>>     
>>>
>>> Not sure how red hat works,
>>> but for me using ubuntu having to change roles
>>> I first needed to collect all of the allow rules, i.g.
>>> allow newrole_t staff_t:process  etc...
>>> then after after a reboot into enforce mode
>>> using newrole -r works fine.(just haven't defined secadm_r yet).
>>> As for toggling from enforce to permissive
>>> using setenforce 0 or 1
>>> or echo 0/1 > /selinux/enforce.
>>>
>>>
>>>   
>> I have no problem changing to a role while in enforcing mode, the
>> problem is in performing the command. Here is what is happening (the
>> following was executed while in enforcing mode):
>>
>> [staff@oak ~]$ id -Z
>> staff_u:staff_r:staff_t:SystemLow:SystemLow-SystemHigh
>> [staff@oak ~]$ newrole -r secadm_r
>> Password:
>> [staff@oak ~]$ id -Z
>> staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>> [staff@oak ~]$ ls -l /selinux/enforce
>> -rw-r--r-- 1 root root 0 2008-11-05 17:08 /selinux/enforce
>> [staff@oak ~]$ /usr/sbin/setenforce 1
>> /usr/sbin/setenforce:  setenforce() failed
>> [staff@oak ~]$ sudo /usr/sbin/setenforce 1
>> sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
>> [staff@oak ~]$ id
>> uid=503(staff) gid=500(user) groups=500(user)
>> context=staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>> [staff@oak ~]$
>>
>> As can be seen I can transition to the secadm_r without an issue. And,
>> from the DAC modes of /selinux/enforce I would guess it requires linux
>> root to be written. Also, I thought I read elsewhere that the secadm_r
>> was configured so that it could not perform an su/sudo. Likewise, if I
>> try to execute system-config-selinux as the secadm_r role, I am not
>> permitted to authenticate as linux root user so I am not able to do
>> anything. If selinux is in permissive mode everything works, as long
>> as I su/sudo to root first. I have similar issues with the auditadm_r
>> role.
>>
>> As for my previously mentioned issue with using sysadm_r to issue a
>> shutdown command while in enforcing mode, I was mistaken and this is
>> possible using sudo (not sure what I was thinking). It seems no MLS
>> roles can use su, only staff_r and sysadm_r may use sudo. auditadm_r
>> and secadm_r cannot use either and seem powerless without it. I am
>> also unable to directly log in as root when in enforcing mode.
>>
>> Note that I am using the roles as they are configured in the MLS
>> policy. If it is required to change or configure the roles to make
>> them able do what it seems like they should be able to do, thats ok,
>> but first I need to make sure I'm not just being boneheaded and using
>> them in the wrong way or have bad expectations of what they should be
>> able to do.
> 
> Sorry to answer my own email, but just to button this up. I could not
> log into my root account because of a conflict between the staff_t
> (login process type) and the admin_home_t (root's home dir file type).
> Any attempt to start a session for root during enforcing mode would die
> as it could not access root's home directory. I am not exactly sure why
> policy is this way, if I did something or the mls policy is that way by
> default. So, I had to find another way to have linux root and
> secadm_r/auditadm_r at the same time. The su and sudo commands are not
> available from those roles. So, from the staff_r I had to start a shell
> using sudo as:
> sudo -s -r secadm_r
> 
> This gave me a shell with the linux root user and the secadm_r role and
> I was able to run things like system-config-selinux and setenforce
> during enforcing mode. Same applies to auditadm_r. role.
> 
You need to run sudo first to become root and then run newrole.

sudo also has the ability to transition directly to sysadm_r

My sudoes has the following lines in it from targeted policy.

dwalsh ALL=(ALL) ROLE=webadm_r TYPE=webadm_t ALL
dwalsh ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t /bin/su

I am logged in as staff_r:staff_t.

I would not advise logging directly in as root on an MLS machine, but it
probably should be setup to login as sysadm_r,  (Although I would prefer
unconfined_r).


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkR/esACgkQrlYvE4MpobN3agCgwKkY63w3+GN71srV7GuD9ciy
0PIAniCDIBsW7Dtp9H01OMH8hOk/MDRF
=lixV
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: using roles with mls policy

[Justin Mattock]

On Wed, Nov 5, 2008 at 12:11 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andy Warner wrote:
>>
>>
>> Andy Warner wrote:
>>>
>>>
>>> Justin Mattock wrote:
>>>> On Wed, Nov 5, 2008 at 7:33 AM, Andy Warner <warner@rubix.com> wrote:
>>>>
>>>>> I am using Fedora 9 with the MLS policy. I have been using it in
>>>>> permissive
>>>>> mode for a while (integrating SELinux with a DBMS and its objects)
>>>>> and now
>>>>> must do some work/testing in enforcing mode. As soon as I switch to
>>>>> enforcing mode I seem unable to perform any action which requires
>>>>> privilege.
>>>>>
>>>>> What is the anticipated method to shutdown/reboot the system and to
>>>>> toggle
>>>>> the enforcing mode while in MLS/Enforcing? What I assumed was to
>>>>> transition
>>>>> to an appropriate role (sysadm_r and secadm_r respectively) and then
>>>>> issue
>>>>> the corresponding command (shutdown and setenforce). This fails and I
>>>>> believe my difficulty is that in both cases I need to also be the
>>>>> linux root
>>>>> user. There does not seem to be an obvious way to execute a command
>>>>> as the
>>>>> lunux root user as neither su nor sudo seem available while in the
>>>>> sysadm_r
>>>>> and secadm_r roles. Executing something like seaudit while in the
>>>>> auditadm_r
>>>>> role fails to allow me to authenticate as root. Despite being the
>>>>> correct
>>>>> password it continuously loops asking for the password.
>>>>>
>>>>> As a related but less important question, in general, is it intended
>>>>> that a
>>>>> user initially have the staff_r role upon login and then transition
>>>>> to a
>>>>> more trusted role (i.e., secadm_r) using the newrole command? (as
>>>>> opposed to
>>>>> having the secadm_r upon login.
>>>>>
>>>>> Thanks for any help,
>>>>>
>>>>> Andy
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> Not sure how red hat works,
>>>> but for me using ubuntu having to change roles
>>>> I first needed to collect all of the allow rules, i.g.
>>>> allow newrole_t staff_t:process  etc...
>>>> then after after a reboot into enforce mode
>>>> using newrole -r works fine.(just haven't defined secadm_r yet).
>>>> As for toggling from enforce to permissive
>>>> using setenforce 0 or 1
>>>> or echo 0/1 > /selinux/enforce.
>>>>
>>>>
>>>>
>>> I have no problem changing to a role while in enforcing mode, the
>>> problem is in performing the command. Here is what is happening (the
>>> following was executed while in enforcing mode):
>>>
>>> [staff@oak ~]$ id -Z
>>> staff_u:staff_r:staff_t:SystemLow:SystemLow-SystemHigh
>>> [staff@oak ~]$ newrole -r secadm_r
>>> Password:
>>> [staff@oak ~]$ id -Z
>>> staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>>> [staff@oak ~]$ ls -l /selinux/enforce
>>> -rw-r--r-- 1 root root 0 2008-11-05 17:08 /selinux/enforce
>>> [staff@oak ~]$ /usr/sbin/setenforce 1
>>> /usr/sbin/setenforce:  setenforce() failed
>>> [staff@oak ~]$ sudo /usr/sbin/setenforce 1
>>> sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
>>> [staff@oak ~]$ id
>>> uid=503(staff) gid=500(user) groups=500(user)
>>> context=staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>>> [staff@oak ~]$
>>>
>>> As can be seen I can transition to the secadm_r without an issue. And,
>>> from the DAC modes of /selinux/enforce I would guess it requires linux
>>> root to be written. Also, I thought I read elsewhere that the secadm_r
>>> was configured so that it could not perform an su/sudo. Likewise, if I
>>> try to execute system-config-selinux as the secadm_r role, I am not
>>> permitted to authenticate as linux root user so I am not able to do
>>> anything. If selinux is in permissive mode everything works, as long
>>> as I su/sudo to root first. I have similar issues with the auditadm_r
>>> role.
>>>
>>> As for my previously mentioned issue with using sysadm_r to issue a
>>> shutdown command while in enforcing mode, I was mistaken and this is
>>> possible using sudo (not sure what I was thinking). It seems no MLS
>>> roles can use su, only staff_r and sysadm_r may use sudo. auditadm_r
>>> and secadm_r cannot use either and seem powerless without it. I am
>>> also unable to directly log in as root when in enforcing mode.
>>>
>>> Note that I am using the roles as they are configured in the MLS
>>> policy. If it is required to change or configure the roles to make
>>> them able do what it seems like they should be able to do, thats ok,
>>> but first I need to make sure I'm not just being boneheaded and using
>>> them in the wrong way or have bad expectations of what they should be
>>> able to do.
>>
>> Sorry to answer my own email, but just to button this up. I could not
>> log into my root account because of a conflict between the staff_t
>> (login process type) and the admin_home_t (root's home dir file type).
>> Any attempt to start a session for root during enforcing mode would die
>> as it could not access root's home directory. I am not exactly sure why
>> policy is this way, if I did something or the mls policy is that way by
>> default. So, I had to find another way to have linux root and
>> secadm_r/auditadm_r at the same time. The su and sudo commands are not
>> available from those roles. So, from the staff_r I had to start a shell
>> using sudo as:
>> sudo -s -r secadm_r
>>
>> This gave me a shell with the linux root user and the secadm_r role and
>> I was able to run things like system-config-selinux and setenforce
>> during enforcing mode. Same applies to auditadm_r. role.
>>
> You need to run sudo first to become root and then run newrole.
>
> sudo also has the ability to transition directly to sysadm_r
>
> My sudoes has the following lines in it from targeted policy.
>
> dwalsh ALL=(ALL) ROLE=webadm_r TYPE=webadm_t ALL
> dwalsh ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t /bin/su
>
> I am logged in as staff_r:staff_t.
>
> I would not advise logging directly in as root on an MLS machine, but it
> probably should be setup to login as sysadm_r,  (Although I would prefer
> unconfined_r).
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkkR/esACgkQrlYvE4MpobN3agCgwKkY63w3+GN71srV7GuD9ciy
> 0PIAniCDIBsW7Dtp9H01OMH8hOk/MDRF
> =lixV
> -----END PGP SIGNATURE-----
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

My setup here is
aterm -e sudo su
(in the fluxbox menu);
then newrole -r staff_r(for network manager)
probably not as safe, but since being for
personal use, probably O.K.

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.