* Non root user cannot execute semanage, semodule
@ 2008-12-09 17:52 Rahul Jain
2008-12-09 18:14 ` Stephen Smalley
2008-12-09 21:03 ` Daniel J Walsh
0 siblings, 2 replies; 9+ messages in thread
From: Rahul Jain @ 2008-12-09 17:52 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 619 bytes --]
Hi All,
I am currently developing a Role Based Access Solution on Montavista linux using SELiunx. I started my implementaion with the reference policy from Tresys. In this implementation I had assigned a role of security officer to one of my non root Linux user. This user is resposible for maintaining SELinux related tasks such as creation, building of policy etc. But this user of mine, being a non root user is not able to execute some priviledged commands such as semodule and semanage.
Is there any in which I can permit a non root user execute these commands.
Thanks and Regards
Rahul Jain
[-- Attachment #2: Type: text/html, Size: 815 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Non root user cannot execute semanage, semodule
2008-12-09 17:52 Non root user cannot execute semanage, semodule Rahul Jain
@ 2008-12-09 18:14 ` Stephen Smalley
2008-12-09 21:03 ` Daniel J Walsh
1 sibling, 0 replies; 9+ messages in thread
From: Stephen Smalley @ 2008-12-09 18:14 UTC (permalink / raw)
To: erahul29; +Cc: selinux
On Tue, 2008-12-09 at 09:52 -0800, Rahul Jain wrote:
> Hi All,
>
> I am currently developing a Role Based Access Solution on Montavista
> linux using SELiunx. I started my implementaion with the reference
> policy from Tresys. In this implementation I had assigned a role of
> security officer to one of my non root Linux user. This user is
> resposible for maintaining SELinux related tasks such as creation,
> building of policy etc. But this user of mine, being a non root user
> is not able to execute some priviledged commands such as semodule and
> semanage.
> Is there any in which I can permit a non root user execute these
> commands.
>
> Thanks and Regards
> Rahul Jain
Not directly, no. SELinux only further restricts what can be done; it
does not completely override the normal Linux checks.
You could invoke semodule/semanage via sudo in order to enable a
non-root user to use them, with suitable policy configuration and
sudoers configuration.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Non root user cannot execute semanage, semodule
2008-12-09 17:52 Non root user cannot execute semanage, semodule Rahul Jain
2008-12-09 18:14 ` Stephen Smalley
@ 2008-12-09 21:03 ` Daniel J Walsh
2008-12-10 6:19 ` Casey Schaufler
1 sibling, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2008-12-09 21:03 UTC (permalink / raw)
To: erahul29; +Cc: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rahul Jain wrote:
> Hi All,
>
> I am currently developing a Role Based Access Solution on Montavista linux using SELiunx. I started my implementaion with the reference policy from Tresys. In this implementation I had assigned a role of security officer to one of my non root Linux user. This user is resposible for maintaining SELinux related tasks such as creation, building of policy etc. But this user of mine, being a non root user is not able to execute some priviledged commands such as semodule and semanage.
> Is there any in which I can permit a non root user execute these commands.
>
> Thanks and Regards
> Rahul Jain
>
>
>
sudo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk+3QQACgkQrlYvE4MpobOgwgCdHCpxAP2hqRPSI17OLLy0tO4a
FAoAmwZa914C1wlLGPV2HZ3+BGPmv9ZG
=zE1X
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Non root user cannot execute semanage, semodule
2008-12-09 21:03 ` Daniel J Walsh
@ 2008-12-10 6:19 ` Casey Schaufler
2008-12-10 8:00 ` Justin P. Mattock
2008-12-10 13:39 ` Stephen Smalley
0 siblings, 2 replies; 9+ messages in thread
From: Casey Schaufler @ 2008-12-10 6:19 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: erahul29, selinux
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rahul Jain wrote:
>
>> Hi All,
>>
>> I am currently developing a Role Based Access Solution on Montavista linux using SELiunx. I started my implementaion with the reference policy from Tresys. In this implementation I had assigned a role of security officer to one of my non root Linux user. This user is resposible for maintaining SELinux related tasks such as creation, building of policy etc. But this user of mine, being a non root user is not able to execute some priviledged commands such as semodule and semanage.
>> Is there any in which I can permit a non root user execute these commands.
>>
>> Thanks and Regards
>> Rahul Jain
>>
>>
>>
>>
> sudo
>
File based capabilities, too.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Non root user cannot execute semanage, semodule
2008-12-10 6:19 ` Casey Schaufler
@ 2008-12-10 8:00 ` Justin P. Mattock
2008-12-10 13:39 ` Stephen Smalley
1 sibling, 0 replies; 9+ messages in thread
From: Justin P. Mattock @ 2008-12-10 8:00 UTC (permalink / raw)
To: Casey Schaufler; +Cc: Daniel J Walsh, erahul29@yahoo.com, SELinux
Shouldn't the employee have only access to only what they need?
justin P. Mattock
On Dec 9, 2008, at 10:19 PM, Casey Schaufler <casey@schaufler-ca.com>
wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Rahul Jain wrote:
>>
>>> Hi All,
>>> I am currently developing a Role Based Access Solution on
>>> Montavista linux using SELiunx. I started my implementaion with
>>> the reference policy from Tresys. In this implementation I had
>>> assigned a role of security officer to one of my non root Linux
>>> user. This user is resposible for maintaining SELinux related
>>> tasks such as creation, building of policy etc. But this user of
>>> mine, being a non root user is not able to execute some
>>> priviledged commands such as semodule and semanage. Is there any
>>> in which I can permit a non root user execute these commands.
>>> Thanks and Regards
>>> Rahul Jain
>>>
>>>
>>>
>> sudo
>>
>
> File based capabilities, too.
>
>
> --
> This message was distributed to subscribers of the selinux mailing
> list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Non root user cannot execute semanage, semodule
2008-12-10 6:19 ` Casey Schaufler
2008-12-10 8:00 ` Justin P. Mattock
@ 2008-12-10 13:39 ` Stephen Smalley
2008-12-10 15:56 ` Casey Schaufler
1 sibling, 1 reply; 9+ messages in thread
From: Stephen Smalley @ 2008-12-10 13:39 UTC (permalink / raw)
To: Casey Schaufler; +Cc: Daniel J Walsh, erahul29, selinux
On Tue, 2008-12-09 at 22:19 -0800, Casey Schaufler wrote:
> Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Rahul Jain wrote:
> >
> >> Hi All,
> >>
> >> I am currently developing a Role Based Access Solution on Montavista linux using SELiunx. I started my implementaion with the reference policy from Tresys. In this implementation I had assigned a role of security officer to one of my non root Linux user. This user is resposible for maintaining SELinux related tasks such as creation, building of policy etc. But this user of mine, being a non root user is not able to execute some priviledged commands such as semodule and semanage.
> >> Is there any in which I can permit a non root user execute these commands.
> >>
> >> Thanks and Regards
> >> Rahul Jain
> >>
> >>
> >>
> >>
> > sudo
> >
>
> File based capabilities, too.
No - here we are running programs that do not expect to have any special
privileges beyond their caller. And semanage is a python script.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Non root user cannot execute semanage, semodule
2008-12-10 13:39 ` Stephen Smalley
@ 2008-12-10 15:56 ` Casey Schaufler
0 siblings, 0 replies; 9+ messages in thread
From: Casey Schaufler @ 2008-12-10 15:56 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Daniel J Walsh, erahul29, selinux
Stephen Smalley wrote:
>> No - here we are running programs that do not expect to have any special
>> privileges beyond their caller.
Yes, you would have to make the programs CAP aware, and in any case ...
>> And semanage is a python script.
>>
The Orange Book educated mind boggles. You're right. Bad idea. Never mind.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Non root user cannot execute semanage, semodule
@ 2008-12-10 16:34 Rahul Jain
2008-12-10 17:22 ` Justin Mattock
0 siblings, 1 reply; 9+ messages in thread
From: Rahul Jain @ 2008-12-10 16:34 UTC (permalink / raw)
To: sds, dwalsh, casey, justinmattock; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 861 bytes --]
Thankyou All,
This community is really awesome.
As suggested by Stephen I used sudo in order to allow a non root user execute the priviledged commands like semodule and semanage and protected the configuration file using SELinux. Though I tried to tweak the policycoreutils also to get the things done but it did not work. The reason being, the some intermediate directories that are created when these commands are executed. The owner of these directories is root and a non root user is not able to access these directories.
For me it was important to allow security officer execute these commands because his role entitles him to perform all security policy related tasks. Semodule was needed to load the policy modules while semanage was required to map the Linux users with the selinux users.
Thanks and Regards
Rahul Jain
[-- Attachment #2: Type: text/html, Size: 1152 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Non root user cannot execute semanage, semodule
2008-12-10 16:34 Rahul Jain
@ 2008-12-10 17:22 ` Justin Mattock
0 siblings, 0 replies; 9+ messages in thread
From: Justin Mattock @ 2008-12-10 17:22 UTC (permalink / raw)
To: erahul29; +Cc: sds, dwalsh, casey, selinux
On Wed, Dec 10, 2008 at 8:34 AM, Rahul Jain <erahul29@yahoo.com> wrote:
> Thankyou All,
>
> This community is really awesome.
>
> As suggested by Stephen I used sudo in order to allow a non root user
> execute the priviledged commands like semodule and semanage and protected
> the configuration file using SELinux. Though I tried to tweak the
> policycoreutils also to get the things done but it did not work. The
> reason being, the some intermediate directories that are created when these
> commands are executed. The owner of these directories is root and a non root
> user is not able to access these directories.
>
> For me it was important to allow security officer execute these commands
> because his role entitles him to perform all security policy related tasks.
> Semodule was needed to load the policy modules while semanage was required
> to map the Linux users with the selinux users.
>
> Thanks and Regards
> Rahul Jain
>
>
>
Yeah that makes sense.
glad you up and running.
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2008-12-10 17:22 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-12-09 17:52 Non root user cannot execute semanage, semodule Rahul Jain
2008-12-09 18:14 ` Stephen Smalley
2008-12-09 21:03 ` Daniel J Walsh
2008-12-10 6:19 ` Casey Schaufler
2008-12-10 8:00 ` Justin P. Mattock
2008-12-10 13:39 ` Stephen Smalley
2008-12-10 15:56 ` Casey Schaufler
-- strict thread matches above, loose matches on Subject: below --
2008-12-10 16:34 Rahul Jain
2008-12-10 17:22 ` Justin Mattock
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.