SELinux UBAC question

All of lore.kernel.org
 help / color / mirror / Atom feed

* SELinux UBAC question
@ 2010-11-17 12:54 ` Roberto Sassu
  0 siblings, 0 replies; 4+ messages in thread
From: Roberto Sassu @ 2010-11-17 12:54 UTC (permalink / raw)
  To: refpolicy; +Cc: selinux

Sorry, i'm resending it because first time it was rejected by the
refpolicy@oss.tresys.com mailing list.

Hi all

i'm using the Fedora 13 operating system with shipped SELinux policy.
I want to add a basic protection for regular users by using the UBAC feature and
letting them to log on the system with the confined domain 'user_t'.
A problem that i have found when using the policy with this feature enabled
is that root logs on the system with user 'unconfined_u' or 'root' and files created
or updated after doing an administrative task cannot be accessed by regular users.
In order to have the system working i have to execute root processes that
make changes on the system with user 'system_u'.
One solution to overcome this issue may be to add an exception to the policy,
as done for the 'system_u' user, so that UBAC will be applied only to SELinux users
tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u'
unprotected.
Does this is the right way to modify the policy in order to enforce the protection
required or there are other alternatives?
Thanks in advance for replies.

Roberto Sassu

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] SELinux UBAC question
@ 2010-11-17 12:54 ` Roberto Sassu
  0 siblings, 0 replies; 4+ messages in thread
From: Roberto Sassu @ 2010-11-17 12:54 UTC (permalink / raw)
  To: refpolicy

Sorry, i'm resending it because first time it was rejected by the
refpolicy at oss.tresys.com mailing list.

Hi all

i'm using the Fedora 13 operating system with shipped SELinux policy.
I want to add a basic protection for regular users by using the UBAC feature and
letting them to log on the system with the confined domain 'user_t'.
A problem that i have found when using the policy with this feature enabled
is that root logs on the system with user 'unconfined_u' or 'root' and files created
or updated after doing an administrative task cannot be accessed by regular users.
In order to have the system working i have to execute root processes that
make changes on the system with user 'system_u'.
One solution to overcome this issue may be to add an exception to the policy,
as done for the 'system_u' user, so that UBAC will be applied only to SELinux users
tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u'
unprotected.
Does this is the right way to modify the policy in order to enforce the protection
required or there are other alternatives?
Thanks in advance for replies.

Roberto Sassu

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [refpolicy] SELinux UBAC question
  2010-11-17 12:54 ` [refpolicy] " Roberto Sassu
@ 2010-11-17 13:39   ` Christopher J. PeBenito
  -1 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2010-11-17 13:39 UTC (permalink / raw)
  To: Roberto Sassu; +Cc: refpolicy, selinux

On 11/17/10 07:54, Roberto Sassu wrote:
> i'm using the Fedora 13 operating system with shipped SELinux policy.
> I want to add a basic protection for regular users by using the UBAC feature and
> letting them to log on the system with the confined domain 'user_t'.
> A problem that i have found when using the policy with this feature enabled
> is that root logs on the system with user 'unconfined_u' or 'root' and files created
> or updated after doing an administrative task cannot be accessed by regular users.
> In order to have the system working i have to execute root processes that
> make changes on the system with user 'system_u'.

This should only be the case for user files and domains.  Other system
files, such as those in /etc, should be unaffected.

> One solution to overcome this issue may be to add an exception to the policy,
> as done for the 'system_u' user, so that UBAC will be applied only to SELinux users
> tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u'
> unprotected.
> Does this is the right way to modify the policy in order to enforce the protection
> required or there are other alternatives?

It depends on your security goals.  If that still meets your goals, then
yes.  I would not include this upstream as it requires separation of all
users.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] SELinux UBAC question
@ 2010-11-17 13:39   ` Christopher J. PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2010-11-17 13:39 UTC (permalink / raw)
  To: refpolicy

On 11/17/10 07:54, Roberto Sassu wrote:
> i'm using the Fedora 13 operating system with shipped SELinux policy.
> I want to add a basic protection for regular users by using the UBAC feature and
> letting them to log on the system with the confined domain 'user_t'.
> A problem that i have found when using the policy with this feature enabled
> is that root logs on the system with user 'unconfined_u' or 'root' and files created
> or updated after doing an administrative task cannot be accessed by regular users.
> In order to have the system working i have to execute root processes that
> make changes on the system with user 'system_u'.

This should only be the case for user files and domains.  Other system
files, such as those in /etc, should be unaffected.

> One solution to overcome this issue may be to add an exception to the policy,
> as done for the 'system_u' user, so that UBAC will be applied only to SELinux users
> tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u'
> unprotected.
> Does this is the right way to modify the policy in order to enforce the protection
> required or there are other alternatives?

It depends on your security goals.  If that still meets your goals, then
yes.  I would not include this upstream as it requires separation of all
users.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2010-11-17 13:39 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-11-17 12:54 SELinux UBAC question Roberto Sassu
2010-11-17 12:54 ` [refpolicy] " Roberto Sassu
2010-11-17 13:39 ` Christopher J. PeBenito
2010-11-17 13:39   ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.