From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mB9Hqj6Y032043 for ; Tue, 9 Dec 2008 12:52:45 -0500 Received: from web50202.mail.re2.yahoo.com (jazzhorn.ncsc.mil [144.51.5.9]) by mummy.ncsc.mil (8.12.10/8.12.10) with SMTP id mB9HqjUv003750 for ; Tue, 9 Dec 2008 17:52:45 GMT Date: Tue, 9 Dec 2008 09:52:44 -0800 (PST) From: Rahul Jain Reply-To: erahul29@yahoo.com Subject: Non root user cannot execute semanage, semodule To: selinux@tycho.nsa.gov MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-802691868-1228845164=:35568" Message-ID: <829347.35568.qm@web50202.mail.re2.yahoo.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --0-802691868-1228845164=:35568 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi All, =A0 I am currently developing a Role Based Access Solution on Montavista linux = using SELiunx. I started my implementaion with the reference policy from Tr= esys. In this implementation I had assigned a role of security officer to o= ne of my non root Linux user. This user is resposible for maintaining SELin= ux related tasks such as creation, building of policy etc. But this user of= mine, being a non root user is not able to execute some priviledged comman= ds such as semodule and semanage.=20 Is there any in which I can permit a non root user execute these commands. =A0 Thanks and Regards Rahul Jain=0A=0A=0A --0-802691868-1228845164=:35568 Content-Type: text/html; charset=us-ascii
Hi All,
 
I am currently developing a Role Based Access Solution on Montavista linux using SELiunx. I started my implementaion with the reference policy from Tresys. In this implementation I had assigned a role of security officer to one of my non root Linux user. This user is resposible for maintaining SELinux related tasks such as creation, building of policy etc. But this user of mine, being a non root user is not able to execute some priviledged commands such as semodule and semanage.
Is there any in which I can permit a non root user execute these commands.
 
Thanks and Regards
Rahul Jain

--0-802691868-1228845164=:35568-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: Non root user cannot execute semanage, semodule From: Stephen Smalley To: erahul29@yahoo.com Cc: selinux@tycho.nsa.gov In-Reply-To: <829347.35568.qm@web50202.mail.re2.yahoo.com> References: <829347.35568.qm@web50202.mail.re2.yahoo.com> Content-Type: text/plain Date: Tue, 09 Dec 2008 13:14:25 -0500 Message-Id: <1228846465.8371.11.camel@localhost.localdomain> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Tue, 2008-12-09 at 09:52 -0800, Rahul Jain wrote: > Hi All, > > I am currently developing a Role Based Access Solution on Montavista > linux using SELiunx. I started my implementaion with the reference > policy from Tresys. In this implementation I had assigned a role of > security officer to one of my non root Linux user. This user is > resposible for maintaining SELinux related tasks such as creation, > building of policy etc. But this user of mine, being a non root user > is not able to execute some priviledged commands such as semodule and > semanage. > Is there any in which I can permit a non root user execute these > commands. > > Thanks and Regards > Rahul Jain Not directly, no. SELinux only further restricts what can be done; it does not completely override the normal Linux checks. You could invoke semodule/semanage via sudo in order to enable a non-root user to use them, with suitable policy configuration and sudoers configuration. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zombie2.ncsc.mil (zombie2.ncsc.mil [144.51.88.133]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mB9L3EHk029156 for ; Tue, 9 Dec 2008 16:03:14 -0500 Received: from mx2.redhat.com (jazzdrum.ncsc.mil [144.51.5.7]) by zombie2.ncsc.mil (8.12.10/8.12.10) with ESMTP id mB9L11KC013032 for ; Tue, 9 Dec 2008 21:01:01 GMT Message-ID: <493EDD04.4050909@redhat.com> Date: Tue, 09 Dec 2008 16:03:00 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: erahul29@yahoo.com CC: selinux@tycho.nsa.gov Subject: Re: Non root user cannot execute semanage, semodule References: <829347.35568.qm@web50202.mail.re2.yahoo.com> In-Reply-To: <829347.35568.qm@web50202.mail.re2.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rahul Jain wrote: > Hi All, > > I am currently developing a Role Based Access Solution on Montavista linux using SELiunx. I started my implementaion with the reference policy from Tresys. In this implementation I had assigned a role of security officer to one of my non root Linux user. This user is resposible for maintaining SELinux related tasks such as creation, building of policy etc. But this user of mine, being a non root user is not able to execute some priviledged commands such as semodule and semanage. > Is there any in which I can permit a non root user execute these commands. > > Thanks and Regards > Rahul Jain > > > sudo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk+3QQACgkQrlYvE4MpobOgwgCdHCpxAP2hqRPSI17OLLy0tO4a FAoAmwZa914C1wlLGPV2HZ3+BGPmv9ZG =zE1X -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mBA6KBAk017094 for ; Wed, 10 Dec 2008 01:20:11 -0500 Received: from smtp105.prem.mail.sp1.yahoo.com (jazzhorn.ncsc.mil [144.51.5.9]) by mummy.ncsc.mil (8.12.10/8.12.10) with SMTP id mBA6KAMw028122 for ; Wed, 10 Dec 2008 06:20:10 GMT Message-ID: <493F5F8E.1080303@schaufler-ca.com> Date: Tue, 09 Dec 2008 22:19:58 -0800 From: Casey Schaufler MIME-Version: 1.0 To: Daniel J Walsh CC: erahul29@yahoo.com, selinux@tycho.nsa.gov Subject: Re: Non root user cannot execute semanage, semodule References: <829347.35568.qm@web50202.mail.re2.yahoo.com> <493EDD04.4050909@redhat.com> In-Reply-To: <493EDD04.4050909@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rahul Jain wrote: > >> Hi All, >> >> I am currently developing a Role Based Access Solution on Montavista linux using SELiunx. I started my implementaion with the reference policy from Tresys. In this implementation I had assigned a role of security officer to one of my non root Linux user. This user is resposible for maintaining SELinux related tasks such as creation, building of policy etc. But this user of mine, being a non root user is not able to execute some priviledged commands such as semodule and semanage. >> Is there any in which I can permit a non root user execute these commands. >> >> Thanks and Regards >> Rahul Jain >> >> >> >> > sudo > File based capabilities, too. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mBA80gm2023964 for ; Wed, 10 Dec 2008 03:00:42 -0500 Received: from rv-out-0708.google.com (jazzhorn.ncsc.mil [144.51.5.9]) by mummy.ncsc.mil (8.12.10/8.12.10) with ESMTP id mBA80fMw011428 for ; Wed, 10 Dec 2008 08:00:41 GMT Received: by rv-out-0708.google.com with SMTP id f25so328536rvb.54 for ; Wed, 10 Dec 2008 00:00:40 -0800 (PST) References: <829347.35568.qm@web50202.mail.re2.yahoo.com> <493EDD04.4050909@redhat.com> <493F5F8E.1080303@schaufler-ca.com> Message-Id: <49F8E507-F170-4FA1-873E-5DF2788D4B30@gmail.com> From: "Justin P. Mattock" To: Casey Schaufler In-Reply-To: <493F5F8E.1080303@schaufler-ca.com> Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Mime-Version: 1.0 (iPhone Mail 5G77) Subject: Re: Non root user cannot execute semanage, semodule Date: Wed, 10 Dec 2008 00:00:24 -0800 Cc: Daniel J Walsh , "erahul29@yahoo.com" , SELinux Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Shouldn't the employee have only access to only what they need? justin P. Mattock On Dec 9, 2008, at 10:19 PM, Casey Schaufler wrote: > Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Rahul Jain wrote: >> >>> Hi All, >>> I am currently developing a Role Based Access Solution on >>> Montavista linux using SELiunx. I started my implementaion with >>> the reference policy from Tresys. In this implementation I had >>> assigned a role of security officer to one of my non root Linux >>> user. This user is resposible for maintaining SELinux related >>> tasks such as creation, building of policy etc. But this user of >>> mine, being a non root user is not able to execute some >>> priviledged commands such as semodule and semanage. Is there any >>> in which I can permit a non root user execute these commands. >>> Thanks and Regards >>> Rahul Jain >>> >>> >>> >> sudo >> > > File based capabilities, too. > > > -- > This message was distributed to subscribers of the selinux mailing > list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov > with > the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: Non root user cannot execute semanage, semodule From: Stephen Smalley To: Casey Schaufler Cc: Daniel J Walsh , erahul29@yahoo.com, selinux@tycho.nsa.gov In-Reply-To: <493F5F8E.1080303@schaufler-ca.com> References: <829347.35568.qm@web50202.mail.re2.yahoo.com> <493EDD04.4050909@redhat.com> <493F5F8E.1080303@schaufler-ca.com> Content-Type: text/plain Date: Wed, 10 Dec 2008 08:39:52 -0500 Message-Id: <1228916392.23307.6.camel@localhost.localdomain> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Tue, 2008-12-09 at 22:19 -0800, Casey Schaufler wrote: > Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Rahul Jain wrote: > > > >> Hi All, > >> > >> I am currently developing a Role Based Access Solution on Montavista linux using SELiunx. I started my implementaion with the reference policy from Tresys. In this implementation I had assigned a role of security officer to one of my non root Linux user. This user is resposible for maintaining SELinux related tasks such as creation, building of policy etc. But this user of mine, being a non root user is not able to execute some priviledged commands such as semodule and semanage. > >> Is there any in which I can permit a non root user execute these commands. > >> > >> Thanks and Regards > >> Rahul Jain > >> > >> > >> > >> > > sudo > > > > File based capabilities, too. No - here we are running programs that do not expect to have any special privileges beyond their caller. And semanage is a python script. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mBAFus50016164 for ; Wed, 10 Dec 2008 10:56:54 -0500 Received: from smtp104.prem.mail.sp1.yahoo.com (jazzhorn.ncsc.mil [144.51.5.9]) by mummy.ncsc.mil (8.12.10/8.12.10) with SMTP id mBAFurKM003576 for ; Wed, 10 Dec 2008 15:56:54 GMT Message-ID: <493FE6B9.1010403@schaufler-ca.com> Date: Wed, 10 Dec 2008 07:56:41 -0800 From: Casey Schaufler MIME-Version: 1.0 To: Stephen Smalley CC: Daniel J Walsh , erahul29@yahoo.com, selinux@tycho.nsa.gov Subject: Re: Non root user cannot execute semanage, semodule References: <829347.35568.qm@web50202.mail.re2.yahoo.com> <493EDD04.4050909@redhat.com> <493F5F8E.1080303@schaufler-ca.com> <1228916392.23307.6.camel@localhost.localdomain> In-Reply-To: <1228916392.23307.6.camel@localhost.localdomain> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Stephen Smalley wrote: >> No - here we are running programs that do not expect to have any special >> privileges beyond their caller. Yes, you would have to make the programs CAP aware, and in any case ... >> And semanage is a python script. >> The Orange Book educated mind boggles. You're right. Bad idea. Never mind. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mBAGYLmT022514 for ; Wed, 10 Dec 2008 11:34:21 -0500 Received: from web50204.mail.re2.yahoo.com (jazzhorn.ncsc.mil [144.51.5.9]) by mummy.ncsc.mil (8.12.10/8.12.10) with SMTP id mBAGYLE1010583 for ; Wed, 10 Dec 2008 16:34:21 GMT Date: Wed, 10 Dec 2008 08:34:20 -0800 (PST) From: Rahul Jain Reply-To: erahul29@yahoo.com Subject: Non root user cannot execute semanage, semodule To: sds@tycho.nsa.gov, dwalsh@redhat.com, casey@schaufler-ca.com, justinmattock@gmail.com Cc: selinux@tycho.nsa.gov MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-353075081-1228926860=:7919" Message-ID: <652528.7919.qm@web50204.mail.re2.yahoo.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --0-353075081-1228926860=:7919 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Thankyou All, =A0 This community is really awesome. =A0 As suggested by Stephen I used sudo in=A0order to allow a non root user exe= cute the priviledged commands like semodule and semanage and protected the = configuration file using SELinux. Though I tried=A0to tweak the policycoreu= tils also to get the things done but it did not work. The reason=A0being, t= he=A0some intermediate directories that are created when these commands are= executed. The owner of these directories is root and a=A0non root user is = not able to access these directories. =A0 For me it was important to allow security officer execute these commands be= cause his role entitles him to perform all security policy related tasks. S= emodule was needed to load the policy modules while semanage was required t= o map the Linux users with the selinux users. =A0 Thanks and Regards Rahul Jain =A0 =A0=0A=0A=0A --0-353075081-1228926860=:7919 Content-Type: text/html; charset=us-ascii
Thankyou All,
 
This community is really awesome.
 
As suggested by Stephen I used sudo in order to allow a non root user execute the priviledged commands like semodule and semanage and protected the configuration file using SELinux. Though I tried to tweak the policycoreutils also to get the things done but it did not work. The reason being, the some intermediate directories that are created when these commands are executed. The owner of these directories is root and a non root user is not able to access these directories.
 
For me it was important to allow security officer execute these commands because his role entitles him to perform all security policy related tasks. Semodule was needed to load the policy modules while semanage was required to map the Linux users with the selinux users.
 
Thanks and Regards
Rahul Jain
 
 

--0-353075081-1228926860=:7919-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mBAHM5V5030295 for ; Wed, 10 Dec 2008 12:22:05 -0500 Received: from mail-ew0-f13.google.com (jazzhorn.ncsc.mil [144.51.5.9]) by mummy.ncsc.mil (8.12.10/8.12.10) with ESMTP id mBAHM4E1019690 for ; Wed, 10 Dec 2008 17:22:04 GMT Received: by ewy6 with SMTP id 6so923515ewy.18 for ; Wed, 10 Dec 2008 09:22:03 -0800 (PST) Message-ID: Date: Wed, 10 Dec 2008 09:22:03 -0800 From: "Justin Mattock" To: erahul29@yahoo.com Subject: Re: Non root user cannot execute semanage, semodule Cc: sds@tycho.nsa.gov, dwalsh@redhat.com, casey@schaufler-ca.com, selinux@tycho.nsa.gov In-Reply-To: <652528.7919.qm@web50204.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 References: <652528.7919.qm@web50204.mail.re2.yahoo.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Wed, Dec 10, 2008 at 8:34 AM, Rahul Jain wrote: > Thankyou All, > > This community is really awesome. > > As suggested by Stephen I used sudo in order to allow a non root user > execute the priviledged commands like semodule and semanage and protected > the configuration file using SELinux. Though I tried to tweak the > policycoreutils also to get the things done but it did not work. The > reason being, the some intermediate directories that are created when these > commands are executed. The owner of these directories is root and a non root > user is not able to access these directories. > > For me it was important to allow security officer execute these commands > because his role entitles him to perform all security policy related tasks. > Semodule was needed to load the policy modules while semanage was required > to map the Linux users with the selinux users. > > Thanks and Regards > Rahul Jain > > > Yeah that makes sense. glad you up and running. -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.