SELinux UBAC question

SELinux UBAC question

[Roberto Sassu]

Sorry, i'm resending it because first time it was rejected by the
refpolicy@oss.tresys.com mailing list.


Hi all

i'm using the Fedora 13 operating system with shipped SELinux policy.
I want to add a basic protection for regular users by using the UBAC feature and
letting them to log on the system with the confined domain 'user_t'.
A problem that i have found when using the policy with this feature enabled
is that root logs on the system with user 'unconfined_u' or 'root' and files created
or updated after doing an administrative task cannot be accessed by regular users.
In order to have the system working i have to execute root processes that
make changes on the system with user 'system_u'.
One solution to overcome this issue may be to add an exception to the policy,
as done for the 'system_u' user, so that UBAC will be applied only to SELinux users
tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u'
unprotected.
Does this is the right way to modify the policy in order to enforce the protection
required or there are other alternatives?
Thanks in advance for replies.

Roberto Sassu

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] SELinux UBAC question

[Roberto Sassu]

Sorry, i'm resending it because first time it was rejected by the
refpolicy at oss.tresys.com mailing list.


Hi all

i'm using the Fedora 13 operating system with shipped SELinux policy.
I want to add a basic protection for regular users by using the UBAC feature and
letting them to log on the system with the confined domain 'user_t'.
A problem that i have found when using the policy with this feature enabled
is that root logs on the system with user 'unconfined_u' or 'root' and files created
or updated after doing an administrative task cannot be accessed by regular users.
In order to have the system working i have to execute root processes that
make changes on the system with user 'system_u'.
One solution to overcome this issue may be to add an exception to the policy,
as done for the 'system_u' user, so that UBAC will be applied only to SELinux users
tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u'
unprotected.
Does this is the right way to modify the policy in order to enforce the protection
required or there are other alternatives?
Thanks in advance for replies.

Roberto Sassu

Re: [refpolicy] SELinux UBAC question

[Christopher J. PeBenito]

On 11/17/10 07:54, Roberto Sassu wrote:
> i'm using the Fedora 13 operating system with shipped SELinux policy.
> I want to add a basic protection for regular users by using the UBAC feature and
> letting them to log on the system with the confined domain 'user_t'.
> A problem that i have found when using the policy with this feature enabled
> is that root logs on the system with user 'unconfined_u' or 'root' and files created
> or updated after doing an administrative task cannot be accessed by regular users.
> In order to have the system working i have to execute root processes that
> make changes on the system with user 'system_u'.

This should only be the case for user files and domains.  Other system
files, such as those in /etc, should be unaffected.

> One solution to overcome this issue may be to add an exception to the policy,
> as done for the 'system_u' user, so that UBAC will be applied only to SELinux users
> tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u'
> unprotected.
> Does this is the right way to modify the policy in order to enforce the protection
> required or there are other alternatives?

It depends on your security goals.  If that still meets your goals, then
yes.  I would not include this upstream as it requires separation of all
users.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] SELinux UBAC question

[Christopher J. PeBenito]

On 11/17/10 07:54, Roberto Sassu wrote:
> i'm using the Fedora 13 operating system with shipped SELinux policy.
> I want to add a basic protection for regular users by using the UBAC feature and
> letting them to log on the system with the confined domain 'user_t'.
> A problem that i have found when using the policy with this feature enabled
> is that root logs on the system with user 'unconfined_u' or 'root' and files created
> or updated after doing an administrative task cannot be accessed by regular users.
> In order to have the system working i have to execute root processes that
> make changes on the system with user 'system_u'.

This should only be the case for user files and domains.  Other system
files, such as those in /etc, should be unaffected.

> One solution to overcome this issue may be to add an exception to the policy,
> as done for the 'system_u' user, so that UBAC will be applied only to SELinux users
> tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u'
> unprotected.
> Does this is the right way to modify the policy in order to enforce the protection
> required or there are other alternatives?

It depends on your security goals.  If that still meets your goals, then
yes.  I would not include this upstream as it requires separation of all
users.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com