* SELinux role separation @ 2011-01-18 18:03 Qwyjibo Jones 2011-01-19 19:29 ` Stephen Smalley 2011-01-19 20:11 ` Daniel J Walsh 0 siblings, 2 replies; 12+ messages in thread From: Qwyjibo Jones @ 2011-01-18 18:03 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 1395 bytes --] I am currently working with an Itanium2 system which has RHEL 5.3 MLS installed. I am trying to understand how separation of roles works in SELinux/MLS policy version 21. We have been told that we need to separate roles that the sys admin is no longer allowed to do. After reading through these threads, in the archives I am still wondering about a couple things: http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 And this one: http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml 1) Is the RHEL 5.x MLS policy version 21 capable of the following separation of sysadm_r and secadm_r roles: a) Can the secadm_r role be the only role that can assign roles via semanage? b) Can the secadm_r role be the only role that can assign/modify network interface labels via semanage? c) Can the secadm_r role be the only role that can control files used in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... 2) Is this better accomplished with a combination of SUDO and SELinux? 3) How can I determine what secadm_r can do in the current configuration? can any of the CLI tools show me that? ( no gui tools available ) If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to Itanium systems, but we may have new hardware soon) Any tips. hints, pointers etc... would be very helpfull. Thanks for your time, [-- Attachment #2: Type: text/html, Size: 1730 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: SELinux role separation 2011-01-18 18:03 SELinux role separation Qwyjibo Jones @ 2011-01-19 19:29 ` Stephen Smalley 2011-01-19 20:11 ` Daniel J Walsh 1 sibling, 0 replies; 12+ messages in thread From: Stephen Smalley @ 2011-01-19 19:29 UTC (permalink / raw) To: Qwyjibo Jones; +Cc: selinux, Daniel J Walsh On Tue, 2011-01-18 at 13:03 -0500, Qwyjibo Jones wrote: > > I am currently working with an Itanium2 system which has RHEL 5.3 MLS > installed. > I am trying to understand how separation of roles works in SELinux/MLS > policy version 21. We have been told that we need to separate roles > that the sys admin is no longer allowed to do. > > After reading through these threads, in the archives I am still > wondering about a couple things: > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > And this one: > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > 1) Is the RHEL 5.x MLS policy version 21 capable of the following > separation of sysadm_r and secadm_r roles: > > a) Can the secadm_r role be the only role that can assign roles via > semanage? > > b) Can the secadm_r role be the only role that can assign/modify > network interface labels via semanage? > > c) Can the secadm_r role be the only role that can control files > used in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd > etc... > > 2) Is this better accomplished with a combination of SUDO and SELinux? > 3) How can I determine what secadm_r can do in the current > configuration? can any of the CLI tools show me that? ( no gui tools > available ) What you describe should be possible using the MLS policy, although I can't speak to the specifics of the RHEL5 policy. If you have or can install setools, then you should be able to query the policy via sesearch to discover what is allowed without needing any GUI. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: SELinux role separation 2011-01-18 18:03 SELinux role separation Qwyjibo Jones 2011-01-19 19:29 ` Stephen Smalley @ 2011-01-19 20:11 ` Daniel J Walsh 2011-01-19 21:44 ` Qwyjibo Jones 1 sibling, 1 reply; 12+ messages in thread From: Daniel J Walsh @ 2011-01-19 20:11 UTC (permalink / raw) To: Qwyjibo Jones; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > > I am currently working with an Itanium2 system which has RHEL 5.3 MLS > installed. > I am trying to understand how separation of roles works in SELinux/MLS > policy version 21. We have been told that we need to separate roles that > the sys admin is no longer allowed to do. > > After reading through these threads, in the archives I am still > wondering about a couple things: > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > And this one: > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > 1) Is the RHEL 5.x MLS policy version 21 capable of the following > separation of sysadm_r and secadm_r roles: > > a) Can the secadm_r role be the only role that can assign roles via > semanage? > > b) Can the secadm_r role be the only role that can assign/modify > network interface labels via semanage? > secadm_r:secadm_t in MLS policy is only allowed to run semanage if the allow_sysadm_manage_security boolean is turned off. > c) Can the secadm_r role be the only role that can control files used > in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > auditadm_r:auditadm_t is only allowed to modify these files. > 2) Is this better accomplished with a combination of SUDO and SELinux? Since sysadm_t can hack his way around the SELinux controls via tools like rpm and fdisk, you are better off using sudo to further restrict his actions, if possible. > 3) How can I determine what secadm_r can do in the current > configuration? can any of the CLI tools show me that? ( no gui tools > available ) > You probably want to look at secadm_t sesearch -A -t secadm_t > If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to > Itanium systems, but we may have new hardware soon) > > Any tips. hints, pointers etc... would be very helpfull. > > Thanks for your time, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk03RYsACgkQrlYvE4MpobPxeQCfYZFtvY0/6oiB0kCUhZfy8NBe 1isAoI2+zCfveZJRpCxIxeu+XAvcjFcw =vT6y -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: SELinux role separation 2011-01-19 20:11 ` Daniel J Walsh @ 2011-01-19 21:44 ` Qwyjibo Jones 2011-01-19 21:47 ` Daniel J Walsh 2011-01-19 21:51 ` Daniel J Walsh 0 siblings, 2 replies; 12+ messages in thread From: Qwyjibo Jones @ 2011-01-19 21:44 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 2568 bytes --] I don't seem to have the "allow_sysadm_manage_security" boolean. Do I need to create it somehow and put it under /selinux/booleans ? # getsebool -a | grep allow_sysadm_manage_security # getsebool -a | grep allow_sysadm # getsebool -a | grep sysadm allow_httpd_sysadm_script_anon_write --> off ssh_sysadm_login --> off staff_read_sysadm_file --> off xdm_sysadm_login --> off Thanks, On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > > > > I am currently working with an Itanium2 system which has RHEL 5.3 MLS > > installed. > > I am trying to understand how separation of roles works in SELinux/MLS > > policy version 21. We have been told that we need to separate roles that > > the sys admin is no longer allowed to do. > > > > After reading through these threads, in the archives I am still > > wondering about a couple things: > > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > > > And this one: > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > > > 1) Is the RHEL 5.x MLS policy version 21 capable of the following > > separation of sysadm_r and secadm_r roles: > > > > a) Can the secadm_r role be the only role that can assign roles via > > semanage? > > > c) Can the secadm_r role be the only role that can control files used > > in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > > auditadm_r:auditadm_t is only allowed to modify these files. > > > 2) Is this better accomplished with a combination of SUDO and SELinux? > Since sysadm_t can hack his way around the SELinux controls via tools > like rpm and fdisk, you are better off using sudo to further restrict > his actions, if possible. > > 3) How can I determine what secadm_r can do in the current > > configuration? can any of the CLI tools show me that? ( no gui tools > > available ) > > > You probably want to look at secadm_t > > sesearch -A -t secadm_t > > > If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to > > Itanium systems, but we may have new hardware soon) > > > > Any tips. hints, pointers etc... would be very helpfull. > > > > Thanks for your time, > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk03RYsACgkQrlYvE4MpobPxeQCfYZFtvY0/6oiB0kCUhZfy8NBe > 1isAoI2+zCfveZJRpCxIxeu+XAvcjFcw > =vT6y > -----END PGP SIGNATURE----- > [-- Attachment #2: Type: text/html, Size: 3548 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: SELinux role separation 2011-01-19 21:44 ` Qwyjibo Jones @ 2011-01-19 21:47 ` Daniel J Walsh 2011-01-19 21:51 ` Daniel J Walsh 1 sibling, 0 replies; 12+ messages in thread From: Daniel J Walsh @ 2011-01-19 21:47 UTC (permalink / raw) To: Qwyjibo Jones; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: > I don't seem to have the "allow_sysadm_manage_security" boolean. Do I > need to create it somehow and put it under /selinux/booleans ? > > # getsebool -a | grep allow_sysadm_manage_security > # getsebool -a | grep allow_sysadm > # getsebool -a | grep sysadm > allow_httpd_sysadm_script_anon_write --> off > ssh_sysadm_login --> off > staff_read_sysadm_file --> off > xdm_sysadm_login --> off > > > > Thanks, > > On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com > <mailto:dwalsh@redhat.com>> wrote: > > On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > >> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >> installed. >> I am trying to understand how separation of roles works in SELinux/MLS >> policy version 21. We have been told that we need to separate > roles that >> the sys admin is no longer allowed to do. > >> After reading through these threads, in the archives I am still >> wondering about a couple things: > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > >> And this one: > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > >> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >> separation of sysadm_r and secadm_r roles: > >> a) Can the secadm_r role be the only role that can assign roles via >> semanage? > >> c) Can the secadm_r role be the only role that can control > files used >> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > auditadm_r:auditadm_t is only allowed to modify these files. > >> 2) Is this better accomplished with a combination of SUDO and SELinux? > Since sysadm_t can hack his way around the SELinux controls via tools > like rpm and fdisk, you are better off using sudo to further restrict > his actions, if possible. >> 3) How can I determine what secadm_r can do in the current >> configuration? can any of the CLI tools show me that? ( no gui tools >> available ) > > You probably want to look at secadm_t > > sesearch -A -t secadm_t > >> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >> Itanium systems, but we may have new hardware soon) > >> Any tips. hints, pointers etc... would be very helpfull. > >> Thanks for your time, > You are running on an MLS machine? seinfo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk03W/gACgkQrlYvE4MpobOhXACgjt4a2pHLgbfTRfUJTmhR2ALH 5VAAoIMbs+gV+YD8QlQFMv4oP9qiN5IX =nMTA -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: SELinux role separation 2011-01-19 21:44 ` Qwyjibo Jones 2011-01-19 21:47 ` Daniel J Walsh @ 2011-01-19 21:51 ` Daniel J Walsh 2011-01-20 13:43 ` Qwyjibo Jones 2011-01-20 13:45 ` Qwyjibo Jones 1 sibling, 2 replies; 12+ messages in thread From: Daniel J Walsh @ 2011-01-19 21:51 UTC (permalink / raw) To: Qwyjibo Jones; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: > I don't seem to have the "allow_sysadm_manage_security" boolean. Do I > need to create it somehow and put it under /selinux/booleans ? > > # getsebool -a | grep allow_sysadm_manage_security > # getsebool -a | grep allow_sysadm > # getsebool -a | grep sysadm > allow_httpd_sysadm_script_anon_write --> off > ssh_sysadm_login --> off > staff_read_sysadm_file --> off > xdm_sysadm_login --> off > > > > Thanks, > > On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com > <mailto:dwalsh@redhat.com>> wrote: > > On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > >> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >> installed. >> I am trying to understand how separation of roles works in SELinux/MLS >> policy version 21. We have been told that we need to separate > roles that >> the sys admin is no longer allowed to do. > >> After reading through these threads, in the archives I am still >> wondering about a couple things: > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > >> And this one: > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > >> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >> separation of sysadm_r and secadm_r roles: > >> a) Can the secadm_r role be the only role that can assign roles via >> semanage? > >> c) Can the secadm_r role be the only role that can control > files used >> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > auditadm_r:auditadm_t is only allowed to modify these files. > >> 2) Is this better accomplished with a combination of SUDO and SELinux? > Since sysadm_t can hack his way around the SELinux controls via tools > like rpm and fdisk, you are better off using sudo to further restrict > his actions, if possible. >> 3) How can I determine what secadm_r can do in the current >> configuration? can any of the CLI tools show me that? ( no gui tools >> available ) > > You probably want to look at secadm_t > > sesearch -A -t secadm_t > >> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >> Itanium systems, but we may have new hardware soon) > >> Any tips. hints, pointers etc... would be very helpfull. > >> Thanks for your time, > Oops I misread the policy, I guess we abandoned the separation. ifdef(`enable_mls',` userdom_security_administrator(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) # tunable_policy(`allow_sysadm_manage_security',` userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) # ') Missed the "#" at the beginning of the lines. So I don't think we prevent sysadm_t from managing the security, of course he has to be able to run at SystemHigh. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk03XOYACgkQrlYvE4MpobNWvACeO1Q8Rioee4mA8jHSUKWyDFkI hHgAn2hf4+hRA36bn2urfI3ezlKNK/+O =h3mZ -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: SELinux role separation 2011-01-19 21:51 ` Daniel J Walsh @ 2011-01-20 13:43 ` Qwyjibo Jones 2011-01-20 13:45 ` Qwyjibo Jones 1 sibling, 0 replies; 12+ messages in thread From: Qwyjibo Jones @ 2011-01-20 13:43 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 3444 bytes --] Thanks for the info... On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: > > I don't seem to have the "allow_sysadm_manage_security" boolean. Do I > > need to create it somehow and put it under /selinux/booleans ? > > > > # getsebool -a | grep allow_sysadm_manage_security > > # getsebool -a | grep allow_sysadm > > # getsebool -a | grep sysadm > > allow_httpd_sysadm_script_anon_write --> off > > ssh_sysadm_login --> off > > staff_read_sysadm_file --> off > > xdm_sysadm_login --> off > > > > > > > > Thanks, > > > > On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com > > <mailto:dwalsh@redhat.com>> wrote: > > > > On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > > > >> I am currently working with an Itanium2 system which has RHEL 5.3 MLS > >> installed. > >> I am trying to understand how separation of roles works in SELinux/MLS > >> policy version 21. We have been told that we need to separate > > roles that > >> the sys admin is no longer allowed to do. > > > >> After reading through these threads, in the archives I am still > >> wondering about a couple things: > > > > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > > >> And this one: > > > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > > >> 1) Is the RHEL 5.x MLS policy version 21 capable of the following > >> separation of sysadm_r and secadm_r roles: > > > >> a) Can the secadm_r role be the only role that can assign roles via > >> semanage? > > > >> c) Can the secadm_r role be the only role that can control > > files used > >> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > > > auditadm_r:auditadm_t is only allowed to modify these files. > > > >> 2) Is this better accomplished with a combination of SUDO and SELinux? > > Since sysadm_t can hack his way around the SELinux controls via tools > > like rpm and fdisk, you are better off using sudo to further restrict > > his actions, if possible. > >> 3) How can I determine what secadm_r can do in the current > >> configuration? can any of the CLI tools show me that? ( no gui tools > >> available ) > > > > You probably want to look at secadm_t > > > > sesearch -A -t secadm_t > > > >> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to > >> Itanium systems, but we may have new hardware soon) > > > >> Any tips. hints, pointers etc... would be very helpfull. > > > >> Thanks for your time, > > > Oops I misread the policy, I guess we abandoned the separation. > > > ifdef(`enable_mls',` > userdom_security_administrator(secadm_t,secadm_r,{ > secadm_tty_device_t sysadm_devpts_t }) > # tunable_policy(`allow_sysadm_manage_security',` > > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > # ') > > > Missed the "#" at the beginning of the lines. So I don't think we > prevent sysadm_t from managing the security, of course he has to be able > to run at SystemHigh. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk03XOYACgkQrlYvE4MpobNWvACeO1Q8Rioee4mA8jHSUKWyDFkI > hHgAn2hf4+hRA36bn2urfI3ezlKNK/+O > =h3mZ > -----END PGP SIGNATURE----- > [-- Attachment #2: Type: text/html, Size: 4837 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: SELinux role separation 2011-01-19 21:51 ` Daniel J Walsh 2011-01-20 13:43 ` Qwyjibo Jones @ 2011-01-20 13:45 ` Qwyjibo Jones 2011-01-20 14:21 ` Daniel J Walsh 2011-01-20 14:23 ` Daniel J Walsh 1 sibling, 2 replies; 12+ messages in thread From: Qwyjibo Jones @ 2011-01-20 13:45 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 3519 bytes --] Sorry, one more question... Does the MLS policy shipped with RHEL 6 have the separation? Thanks, On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: > > I don't seem to have the "allow_sysadm_manage_security" boolean. Do I > > need to create it somehow and put it under /selinux/booleans ? > > > > # getsebool -a | grep allow_sysadm_manage_security > > # getsebool -a | grep allow_sysadm > > # getsebool -a | grep sysadm > > allow_httpd_sysadm_script_anon_write --> off > > ssh_sysadm_login --> off > > staff_read_sysadm_file --> off > > xdm_sysadm_login --> off > > > > > > > > Thanks, > > > > On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com > > <mailto:dwalsh@redhat.com>> wrote: > > > > On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > > > >> I am currently working with an Itanium2 system which has RHEL 5.3 MLS > >> installed. > >> I am trying to understand how separation of roles works in SELinux/MLS > >> policy version 21. We have been told that we need to separate > > roles that > >> the sys admin is no longer allowed to do. > > > >> After reading through these threads, in the archives I am still > >> wondering about a couple things: > > > > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > > >> And this one: > > > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > > >> 1) Is the RHEL 5.x MLS policy version 21 capable of the following > >> separation of sysadm_r and secadm_r roles: > > > >> a) Can the secadm_r role be the only role that can assign roles via > >> semanage? > > > >> c) Can the secadm_r role be the only role that can control > > files used > >> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > > > auditadm_r:auditadm_t is only allowed to modify these files. > > > >> 2) Is this better accomplished with a combination of SUDO and SELinux? > > Since sysadm_t can hack his way around the SELinux controls via tools > > like rpm and fdisk, you are better off using sudo to further restrict > > his actions, if possible. > >> 3) How can I determine what secadm_r can do in the current > >> configuration? can any of the CLI tools show me that? ( no gui tools > >> available ) > > > > You probably want to look at secadm_t > > > > sesearch -A -t secadm_t > > > >> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to > >> Itanium systems, but we may have new hardware soon) > > > >> Any tips. hints, pointers etc... would be very helpfull. > > > >> Thanks for your time, > > > Oops I misread the policy, I guess we abandoned the separation. > > > ifdef(`enable_mls',` > userdom_security_administrator(secadm_t,secadm_r,{ > secadm_tty_device_t sysadm_devpts_t }) > # tunable_policy(`allow_sysadm_manage_security',` > > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > # ') > > > Missed the "#" at the beginning of the lines. So I don't think we > prevent sysadm_t from managing the security, of course he has to be able > to run at SystemHigh. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk03XOYACgkQrlYvE4MpobNWvACeO1Q8Rioee4mA8jHSUKWyDFkI > hHgAn2hf4+hRA36bn2urfI3ezlKNK/+O > =h3mZ > -----END PGP SIGNATURE----- > [-- Attachment #2: Type: text/html, Size: 4921 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: SELinux role separation 2011-01-20 13:45 ` Qwyjibo Jones @ 2011-01-20 14:21 ` Daniel J Walsh 2011-01-20 14:23 ` Daniel J Walsh 1 sibling, 0 replies; 12+ messages in thread From: Daniel J Walsh @ 2011-01-20 14:21 UTC (permalink / raw) To: Qwyjibo Jones; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/20/2011 08:45 AM, Qwyjibo Jones wrote: > Sorry, one more question... > > Does the MLS policy shipped with RHEL 6 have the separation? > > Thanks, > > On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com > <mailto:dwalsh@redhat.com>> wrote: > > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: >> I don't seem to have the "allow_sysadm_manage_security" boolean. Do I >> need to create it somehow and put it under /selinux/booleans ? > >> # getsebool -a | grep allow_sysadm_manage_security >> # getsebool -a | grep allow_sysadm >> # getsebool -a | grep sysadm >> allow_httpd_sysadm_script_anon_write --> off >> ssh_sysadm_login --> off >> staff_read_sysadm_file --> off >> xdm_sysadm_login --> off > > > >> Thanks, > >> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com > <mailto:dwalsh@redhat.com> >> <mailto:dwalsh@redhat.com <mailto:dwalsh@redhat.com>>> wrote: > >> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > >>> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >>> installed. >>> I am trying to understand how separation of roles works in > SELinux/MLS >>> policy version 21. We have been told that we need to separate >> roles that >>> the sys admin is no longer allowed to do. > >>> After reading through these threads, in the archives I am still >>> wondering about a couple things: > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > >>> And this one: > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > >>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >>> separation of sysadm_r and secadm_r roles: > >>> a) Can the secadm_r role be the only role that can assign > roles via >>> semanage? > >>> c) Can the secadm_r role be the only role that can control >> files used >>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > >> auditadm_r:auditadm_t is only allowed to modify these files. > >>> 2) Is this better accomplished with a combination of SUDO and > SELinux? >> Since sysadm_t can hack his way around the SELinux controls via tools >> like rpm and fdisk, you are better off using sudo to further restrict >> his actions, if possible. >>> 3) How can I determine what secadm_r can do in the current >>> configuration? can any of the CLI tools show me that? ( no gui tools >>> available ) > >> You probably want to look at secadm_t > >> sesearch -A -t secadm_t > >>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >>> Itanium systems, but we may have new hardware soon) > >>> Any tips. hints, pointers etc... would be very helpfull. > >>> Thanks for your time, > > Oops I misread the policy, I guess we abandoned the separation. > > > ifdef(`enable_mls',` > > userdom_security_administrator(secadm_t,secadm_r,{ > secadm_tty_device_t sysadm_devpts_t }) > # tunable_policy(`allow_sysadm_manage_security',` > > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > # ') > > > Missed the "#" at the beginning of the lines. So I don't think we > prevent sysadm_t from managing the security, of course he has to be able > to run at SystemHigh. > RHEL6 MLS Policy for separation is pretty much the same. We are just working on certification now, hopefully for 6.1. There is a lot more policy that works with MLS in RHEL6 including some desktop features, although we will be certifying server only, I believe. Others might build a MLS desktop based on RHEL6. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk04RQAACgkQrlYvE4MpobMSsgCg2tGDK2RvLrb7nv8gvCzX+mMq F/YAoIu4Cp3JtIYrZL5IeEJRuF1mZWrj =BL/v -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: SELinux role separation 2011-01-20 13:45 ` Qwyjibo Jones 2011-01-20 14:21 ` Daniel J Walsh @ 2011-01-20 14:23 ` Daniel J Walsh 2011-01-20 17:05 ` Qwyjibo Jones 1 sibling, 1 reply; 12+ messages in thread From: Daniel J Walsh @ 2011-01-20 14:23 UTC (permalink / raw) To: Qwyjibo Jones; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/20/2011 08:45 AM, Qwyjibo Jones wrote: > Sorry, one more question... > > Does the MLS policy shipped with RHEL 6 have the separation? > > Thanks, > > On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com > <mailto:dwalsh@redhat.com>> wrote: > > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: >> I don't seem to have the "allow_sysadm_manage_security" boolean. Do I >> need to create it somehow and put it under /selinux/booleans ? > >> # getsebool -a | grep allow_sysadm_manage_security >> # getsebool -a | grep allow_sysadm >> # getsebool -a | grep sysadm >> allow_httpd_sysadm_script_anon_write --> off >> ssh_sysadm_login --> off >> staff_read_sysadm_file --> off >> xdm_sysadm_login --> off > > > >> Thanks, > >> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com > <mailto:dwalsh@redhat.com> >> <mailto:dwalsh@redhat.com <mailto:dwalsh@redhat.com>>> wrote: > >> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > >>> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >>> installed. >>> I am trying to understand how separation of roles works in > SELinux/MLS >>> policy version 21. We have been told that we need to separate >> roles that >>> the sys admin is no longer allowed to do. > >>> After reading through these threads, in the archives I am still >>> wondering about a couple things: > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > >>> And this one: > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > >>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >>> separation of sysadm_r and secadm_r roles: > >>> a) Can the secadm_r role be the only role that can assign > roles via >>> semanage? > >>> c) Can the secadm_r role be the only role that can control >> files used >>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > >> auditadm_r:auditadm_t is only allowed to modify these files. > >>> 2) Is this better accomplished with a combination of SUDO and > SELinux? >> Since sysadm_t can hack his way around the SELinux controls via tools >> like rpm and fdisk, you are better off using sudo to further restrict >> his actions, if possible. >>> 3) How can I determine what secadm_r can do in the current >>> configuration? can any of the CLI tools show me that? ( no gui tools >>> available ) > >> You probably want to look at secadm_t > >> sesearch -A -t secadm_t > >>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >>> Itanium systems, but we may have new hardware soon) > >>> Any tips. hints, pointers etc... would be very helpfull. > >>> Thanks for your time, > > Oops I misread the policy, I guess we abandoned the separation. > > > ifdef(`enable_mls',` > > userdom_security_administrator(secadm_t,secadm_r,{ > secadm_tty_device_t sysadm_devpts_t }) > # tunable_policy(`allow_sysadm_manage_security',` > > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > # ') > > > Missed the "#" at the beginning of the lines. So I don't think we > prevent sysadm_t from managing the security, of course he has to be able > to run at SystemHigh. > One idea would be to build the separation into a separate module sysadm_secadm.pp then you could disable this module and take away the power of sysadm to do security administration. How important is this? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk04RWcACgkQrlYvE4MpobNgkwCgrpfXVA3VACrLFueZjW6V5Gko YRsAoJsGGp76ODNFPSIhpl24h4D5KA6A =Ae9m -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: SELinux role separation 2011-01-20 14:23 ` Daniel J Walsh @ 2011-01-20 17:05 ` Qwyjibo Jones 2011-02-19 14:25 ` Qwyjibo Jones 0 siblings, 1 reply; 12+ messages in thread From: Qwyjibo Jones @ 2011-01-20 17:05 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 4575 bytes --] Okay, We aren't using any desktop right now. this system is a headless server. As for how important... Well if you ask me, (the sysadmin), I would say not very. But alas it is not up to me. I will have to get the customer (Govt) to tell me how much they need this. Perhaps I can get them to wait until 6.1 comes out since they are thinking of a hardware refresh anyhow. My current policy skills are probably insufficient to the task of making the policy you described. I can use audit2allow pretty well tho... :) Thanks, On Thu, Jan 20, 2011 at 9:23 AM, Daniel J Walsh <dwalsh@redhat.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/20/2011 08:45 AM, Qwyjibo Jones wrote: > > Sorry, one more question... > > > > Does the MLS policy shipped with RHEL 6 have the separation? > > > > Thanks, > > > > On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com > > <mailto:dwalsh@redhat.com>> wrote: > > > > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: > >> I don't seem to have the "allow_sysadm_manage_security" boolean. Do I > >> need to create it somehow and put it under /selinux/booleans ? > > > >> # getsebool -a | grep allow_sysadm_manage_security > >> # getsebool -a | grep allow_sysadm > >> # getsebool -a | grep sysadm > >> allow_httpd_sysadm_script_anon_write --> off > >> ssh_sysadm_login --> off > >> staff_read_sysadm_file --> off > >> xdm_sysadm_login --> off > > > > > > > >> Thanks, > > > >> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com > > <mailto:dwalsh@redhat.com> > >> <mailto:dwalsh@redhat.com <mailto:dwalsh@redhat.com>>> wrote: > > > >> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > > > >>> I am currently working with an Itanium2 system which has RHEL 5.3 MLS > >>> installed. > >>> I am trying to understand how separation of roles works in > > SELinux/MLS > >>> policy version 21. We have been told that we need to separate > >> roles that > >>> the sys admin is no longer allowed to do. > > > >>> After reading through these threads, in the archives I am still > >>> wondering about a couple things: > > > > > > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > > >>> And this one: > > > > > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > > >>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following > >>> separation of sysadm_r and secadm_r roles: > > > >>> a) Can the secadm_r role be the only role that can assign > > roles via > >>> semanage? > > > >>> c) Can the secadm_r role be the only role that can control > >> files used > >>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > > >> auditadm_r:auditadm_t is only allowed to modify these files. > > > >>> 2) Is this better accomplished with a combination of SUDO and > > SELinux? > >> Since sysadm_t can hack his way around the SELinux controls via tools > >> like rpm and fdisk, you are better off using sudo to further restrict > >> his actions, if possible. > >>> 3) How can I determine what secadm_r can do in the current > >>> configuration? can any of the CLI tools show me that? ( no gui tools > >>> available ) > > > >> You probably want to look at secadm_t > > > >> sesearch -A -t secadm_t > > > >>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to > >>> Itanium systems, but we may have new hardware soon) > > > >>> Any tips. hints, pointers etc... would be very helpfull. > > > >>> Thanks for your time, > > > > Oops I misread the policy, I guess we abandoned the separation. > > > > > > ifdef(`enable_mls',` > > > > userdom_security_administrator(secadm_t,secadm_r,{ > > secadm_tty_device_t sysadm_devpts_t }) > > # tunable_policy(`allow_sysadm_manage_security',` > > > > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > > # ') > > > > > > Missed the "#" at the beginning of the lines. So I don't think we > > prevent sysadm_t from managing the security, of course he has to be able > > to run at SystemHigh. > > > One idea would be to build the separation into a separate module > sysadm_secadm.pp then you could disable this module and take away the > power of sysadm to do security administration. How important is this? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk04RWcACgkQrlYvE4MpobNgkwCgrpfXVA3VACrLFueZjW6V5Gko > YRsAoJsGGp76ODNFPSIhpl24h4D5KA6A > =Ae9m > -----END PGP SIGNATURE----- > [-- Attachment #2: Type: text/html, Size: 6453 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: SELinux role separation 2011-01-20 17:05 ` Qwyjibo Jones @ 2011-02-19 14:25 ` Qwyjibo Jones 0 siblings, 0 replies; 12+ messages in thread From: Qwyjibo Jones @ 2011-02-19 14:25 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 5163 bytes --] Just as a follow up to this thread. This is an important feature to the customer. My team has managed to differ this until a later release. Hopefully one of the 6.x versions. They like SELinux MLS because *so far* their, Solaris TX and ZFS systems cannot label data at rest. They have TX systems that they want to migrate away from. Thanks for the help On Thu, Jan 20, 2011 at 12:05 PM, Qwyjibo Jones <qwyjibojones@gmail.com>wrote: > Okay, > > We aren't using any desktop right now. this system is a headless server. > > As for how important... Well if you ask me, (the sysadmin), I would say not > very. But alas it is not up to me. I will have to get the customer (Govt) to > tell me how much they need this. Perhaps I can get them to wait until 6.1 > comes out since they are thinking of a hardware refresh anyhow. > > My current policy skills are probably insufficient to the task of making > the policy you described. I can use audit2allow pretty well tho... :) > > Thanks, > > > On Thu, Jan 20, 2011 at 9:23 AM, Daniel J Walsh <dwalsh@redhat.com> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/20/2011 08:45 AM, Qwyjibo Jones wrote: >> > Sorry, one more question... >> > >> > Does the MLS policy shipped with RHEL 6 have the separation? >> > >> > Thanks, >> > >> > On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com >> > <mailto:dwalsh@redhat.com>> wrote: >> > >> > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: >> >> I don't seem to have the "allow_sysadm_manage_security" boolean. Do I >> >> need to create it somehow and put it under /selinux/booleans ? >> > >> >> # getsebool -a | grep allow_sysadm_manage_security >> >> # getsebool -a | grep allow_sysadm >> >> # getsebool -a | grep sysadm >> >> allow_httpd_sysadm_script_anon_write --> off >> >> ssh_sysadm_login --> off >> >> staff_read_sysadm_file --> off >> >> xdm_sysadm_login --> off >> > >> > >> > >> >> Thanks, >> > >> >> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com >> > <mailto:dwalsh@redhat.com> >> >> <mailto:dwalsh@redhat.com <mailto:dwalsh@redhat.com>>> wrote: >> > >> >> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: >> > >> >>> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >> >>> installed. >> >>> I am trying to understand how separation of roles works in >> > SELinux/MLS >> >>> policy version 21. We have been told that we need to separate >> >> roles that >> >>> the sys admin is no longer allowed to do. >> > >> >>> After reading through these threads, in the archives I am still >> >>> wondering about a couple things: >> > >> > >> > >> > >> http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 >> > >> >>> And this one: >> > >> > >> > >> http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml >> > >> >>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >> >>> separation of sysadm_r and secadm_r roles: >> > >> >>> a) Can the secadm_r role be the only role that can assign >> > roles via >> >>> semanage? >> > >> >>> c) Can the secadm_r role be the only role that can control >> >> files used >> >>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... >> > >> >> auditadm_r:auditadm_t is only allowed to modify these files. >> > >> >>> 2) Is this better accomplished with a combination of SUDO and >> > SELinux? >> >> Since sysadm_t can hack his way around the SELinux controls via tools >> >> like rpm and fdisk, you are better off using sudo to further restrict >> >> his actions, if possible. >> >>> 3) How can I determine what secadm_r can do in the current >> >>> configuration? can any of the CLI tools show me that? ( no gui tools >> >>> available ) >> > >> >> You probably want to look at secadm_t >> > >> >> sesearch -A -t secadm_t >> > >> >>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >> >>> Itanium systems, but we may have new hardware soon) >> > >> >>> Any tips. hints, pointers etc... would be very helpfull. >> > >> >>> Thanks for your time, >> > >> > Oops I misread the policy, I guess we abandoned the separation. >> > >> > >> > ifdef(`enable_mls',` >> > >> > userdom_security_administrator(secadm_t,secadm_r,{ >> > secadm_tty_device_t sysadm_devpts_t }) >> > # tunable_policy(`allow_sysadm_manage_security',` >> > >> > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) >> > # ') >> > >> > >> > Missed the "#" at the beginning of the lines. So I don't think we >> > prevent sysadm_t from managing the security, of course he has to be able >> > to run at SystemHigh. >> > >> One idea would be to build the separation into a separate module >> sysadm_secadm.pp then you could disable this module and take away the >> power of sysadm to do security administration. How important is this? >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.11 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAk04RWcACgkQrlYvE4MpobNgkwCgrpfXVA3VACrLFueZjW6V5Gko >> YRsAoJsGGp76ODNFPSIhpl24h4D5KA6A >> =Ae9m >> -----END PGP SIGNATURE----- >> > > [-- Attachment #2: Type: text/html, Size: 7276 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2011-02-19 14:26 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-01-18 18:03 SELinux role separation Qwyjibo Jones 2011-01-19 19:29 ` Stephen Smalley 2011-01-19 20:11 ` Daniel J Walsh 2011-01-19 21:44 ` Qwyjibo Jones 2011-01-19 21:47 ` Daniel J Walsh 2011-01-19 21:51 ` Daniel J Walsh 2011-01-20 13:43 ` Qwyjibo Jones 2011-01-20 13:45 ` Qwyjibo Jones 2011-01-20 14:21 ` Daniel J Walsh 2011-01-20 14:23 ` Daniel J Walsh 2011-01-20 17:05 ` Qwyjibo Jones 2011-02-19 14:25 ` Qwyjibo Jones
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.