From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p0II3r1g015624 for ; Tue, 18 Jan 2011 13:03:53 -0500 Received: from mail-gw0-f53.google.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id p0II3q1v017158 for ; Tue, 18 Jan 2011 18:03:52 GMT Received: by gwb10 with SMTP id 10so2569351gwb.12 for ; Tue, 18 Jan 2011 10:03:52 -0800 (PST) MIME-Version: 1.0 Date: Tue, 18 Jan 2011 13:03:50 -0500 Message-ID: Subject: SELinux role separation From: Qwyjibo Jones To: selinux@tycho.nsa.gov Content-Type: multipart/alternative; boundary=20cf30433dde0c4c7e049a22b929 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --20cf30433dde0c4c7e049a22b929 Content-Type: text/plain; charset=ISO-8859-1 I am currently working with an Itanium2 system which has RHEL 5.3 MLS installed. I am trying to understand how separation of roles works in SELinux/MLS policy version 21. We have been told that we need to separate roles that the sys admin is no longer allowed to do. After reading through these threads, in the archives I am still wondering about a couple things: http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 And this one: http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml 1) Is the RHEL 5.x MLS policy version 21 capable of the following separation of sysadm_r and secadm_r roles: a) Can the secadm_r role be the only role that can assign roles via semanage? b) Can the secadm_r role be the only role that can assign/modify network interface labels via semanage? c) Can the secadm_r role be the only role that can control files used in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... 2) Is this better accomplished with a combination of SUDO and SELinux? 3) How can I determine what secadm_r can do in the current configuration? can any of the CLI tools show me that? ( no gui tools available ) If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to Itanium systems, but we may have new hardware soon) Any tips. hints, pointers etc... would be very helpfull. Thanks for your time, --20cf30433dde0c4c7e049a22b929 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I am currently working with an Itanium2 system which has RHEL 5.3 MLS i= nstalled.
I am trying to understand how separation of roles works in SEL= inux/MLS policy version 21. We have been told that we need to separate role= s that the sys admin is no longer allowed to do.

After reading through these threads, in the archives I am still wonderi= ng about a couple things:

http://www.nsa.gov/research/selinux/= list-archive/0504/thread_body66.shtml#11082

And this one:
http://www.nsa.gov/research/selinux/list-archive= /0802/thread_body60.shtml

1) Is the RHEL 5.x MLS policy version 21 capable of the following separ= ation of sysadm_r and secadm_r roles:

=A0=A0 a) Can the secadm_r rol= e be the only role that can assign roles via semanage?

=A0=A0 b) Can the secadm_r role be the only role that can assign/modify network in= terface labels via semanage?

=A0=A0 c) Can the secadm_r role be the only role that can control files= =20 used in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd=20 etc...

2) Is this better accomplished with a combination of SUDO and= SELinux?
3) How can I determine what secadm_r can do in the current=20 configuration? can any of the CLI tools show me that? ( no gui tools=20 available )

If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to I= tanium systems, but we may have new hardware soon)

Any tips. hints, = pointers etc... would be very helpfull.

Thanks for your time, --20cf30433dde0c4c7e049a22b929-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: SELinux role separation From: Stephen Smalley To: Qwyjibo Jones Cc: selinux@tycho.nsa.gov, Daniel J Walsh In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Date: Wed, 19 Jan 2011 14:29:50 -0500 Message-ID: <1295465390.11317.7.camel@moss-pluto> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Tue, 2011-01-18 at 13:03 -0500, Qwyjibo Jones wrote: > > I am currently working with an Itanium2 system which has RHEL 5.3 MLS > installed. > I am trying to understand how separation of roles works in SELinux/MLS > policy version 21. We have been told that we need to separate roles > that the sys admin is no longer allowed to do. > > After reading through these threads, in the archives I am still > wondering about a couple things: > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > And this one: > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > 1) Is the RHEL 5.x MLS policy version 21 capable of the following > separation of sysadm_r and secadm_r roles: > > a) Can the secadm_r role be the only role that can assign roles via > semanage? > > b) Can the secadm_r role be the only role that can assign/modify > network interface labels via semanage? > > c) Can the secadm_r role be the only role that can control files > used in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd > etc... > > 2) Is this better accomplished with a combination of SUDO and SELinux? > 3) How can I determine what secadm_r can do in the current > configuration? can any of the CLI tools show me that? ( no gui tools > available ) What you describe should be possible using the MLS policy, although I can't speak to the specifics of the RHEL5 policy. If you have or can install setools, then you should be able to query the policy via sesearch to discover what is allowed without needing any GUI. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p0JKBxga011372 for ; Wed, 19 Jan 2011 15:11:59 -0500 Received: from mx1.redhat.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id p0JKBvJu014333 for ; Wed, 19 Jan 2011 20:11:58 GMT Message-ID: <4D37458B.4050705@redhat.com> Date: Wed, 19 Jan 2011 15:11:55 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: Qwyjibo Jones CC: selinux@tycho.nsa.gov Subject: Re: SELinux role separation References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > > I am currently working with an Itanium2 system which has RHEL 5.3 MLS > installed. > I am trying to understand how separation of roles works in SELinux/MLS > policy version 21. We have been told that we need to separate roles that > the sys admin is no longer allowed to do. > > After reading through these threads, in the archives I am still > wondering about a couple things: > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > And this one: > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > 1) Is the RHEL 5.x MLS policy version 21 capable of the following > separation of sysadm_r and secadm_r roles: > > a) Can the secadm_r role be the only role that can assign roles via > semanage? > > b) Can the secadm_r role be the only role that can assign/modify > network interface labels via semanage? > secadm_r:secadm_t in MLS policy is only allowed to run semanage if the allow_sysadm_manage_security boolean is turned off. > c) Can the secadm_r role be the only role that can control files used > in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > auditadm_r:auditadm_t is only allowed to modify these files. > 2) Is this better accomplished with a combination of SUDO and SELinux? Since sysadm_t can hack his way around the SELinux controls via tools like rpm and fdisk, you are better off using sudo to further restrict his actions, if possible. > 3) How can I determine what secadm_r can do in the current > configuration? can any of the CLI tools show me that? ( no gui tools > available ) > You probably want to look at secadm_t sesearch -A -t secadm_t > If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to > Itanium systems, but we may have new hardware soon) > > Any tips. hints, pointers etc... would be very helpfull. > > Thanks for your time, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk03RYsACgkQrlYvE4MpobPxeQCfYZFtvY0/6oiB0kCUhZfy8NBe 1isAoI2+zCfveZJRpCxIxeu+XAvcjFcw =vT6y -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p0JLipUj017695 for ; Wed, 19 Jan 2011 16:44:51 -0500 Received: from mail-yx0-f181.google.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id p0JLioJu010151 for ; Wed, 19 Jan 2011 21:44:50 GMT Received: by yxd39 with SMTP id 39so588779yxd.12 for ; Wed, 19 Jan 2011 13:44:50 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <4D37458B.4050705@redhat.com> References: <4D37458B.4050705@redhat.com> Date: Wed, 19 Jan 2011 16:44:49 -0500 Message-ID: Subject: Re: SELinux role separation From: Qwyjibo Jones To: Daniel J Walsh Cc: selinux@tycho.nsa.gov Content-Type: multipart/alternative; boundary=20cf30434030237ee3049a39edc2 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --20cf30434030237ee3049a39edc2 Content-Type: text/plain; charset=ISO-8859-1 I don't seem to have the "allow_sysadm_manage_security" boolean. Do I need to create it somehow and put it under /selinux/booleans ? # getsebool -a | grep allow_sysadm_manage_security # getsebool -a | grep allow_sysadm # getsebool -a | grep sysadm allow_httpd_sysadm_script_anon_write --> off ssh_sysadm_login --> off staff_read_sysadm_file --> off xdm_sysadm_login --> off Thanks, On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > > > > I am currently working with an Itanium2 system which has RHEL 5.3 MLS > > installed. > > I am trying to understand how separation of roles works in SELinux/MLS > > policy version 21. We have been told that we need to separate roles that > > the sys admin is no longer allowed to do. > > > > After reading through these threads, in the archives I am still > > wondering about a couple things: > > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > > > And this one: > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > > > 1) Is the RHEL 5.x MLS policy version 21 capable of the following > > separation of sysadm_r and secadm_r roles: > > > > a) Can the secadm_r role be the only role that can assign roles via > > semanage? > > > c) Can the secadm_r role be the only role that can control files used > > in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > > auditadm_r:auditadm_t is only allowed to modify these files. > > > 2) Is this better accomplished with a combination of SUDO and SELinux? > Since sysadm_t can hack his way around the SELinux controls via tools > like rpm and fdisk, you are better off using sudo to further restrict > his actions, if possible. > > 3) How can I determine what secadm_r can do in the current > > configuration? can any of the CLI tools show me that? ( no gui tools > > available ) > > > You probably want to look at secadm_t > > sesearch -A -t secadm_t > > > If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to > > Itanium systems, but we may have new hardware soon) > > > > Any tips. hints, pointers etc... would be very helpfull. > > > > Thanks for your time, > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk03RYsACgkQrlYvE4MpobPxeQCfYZFtvY0/6oiB0kCUhZfy8NBe > 1isAoI2+zCfveZJRpCxIxeu+XAvcjFcw > =vT6y > -----END PGP SIGNATURE----- > --20cf30434030237ee3049a39edc2 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I don't seem to have the "allow_sysadm_manage_security" boole= an. Do I need to create it somehow and put it under /selinux/booleans ?
# getsebool -a | grep allow_sysadm_manage_security
# getsebool -a |= grep allow_sysadm
# getsebool -a | grep sysadm
allow_httpd_sysadm_script_anon_write -->= off
ssh_sysadm_login --> off
staff_read_sysadm_file --> offxdm_sysadm_login --> off



Thanks,

On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
=
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/18/2011 01:03 PM, Qwyjibo Jones wrote:
>
> I am currently working with an Itanium2 system which has RHEL 5.3 MLS<= br> > installed.
> I am trying to understand how separation of roles works in SELinux/MLS=
> policy version 21. We have been told that we need to separate roles th= at
> the sys admin is no longer allowed to do.
>
> After reading through these threads, in the archives I am still
> wondering about a couple things:
>
> http://www.nsa.gov/research/selinux= /list-archive/0504/thread_body66.shtml#11082
>
> And this one:
> http://www.nsa.gov/research/selinux/list-= archive/0802/thread_body60.shtml
>
> 1) Is the RHEL 5.x MLS policy version 21 capable of the following
> separation of sysadm_r and secadm_r roles:
>
> =A0 =A0a) Can the secadm_r role be the only role that can assign roles= via
> semanage?

> =A0 =A0c) Can the secadm_r role be the only role that can control file= s used
> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc...<= br> >
auditadm_r:auditadm_t is only allowed to modify these files.

> 2) Is this better accomplished with a combination of SUDO and SELinux?=
Since sysadm_t can hack his way around the SELinux controls via tools=
like rpm and fdisk, you are better off using sudo to further restrict
his actions, if possible.
> 3) How can I determine what secadm_r can do in the c= urrent
> configuration? can any of the CLI tools show me that? ( no gui tools > available )
>
You probably want to look at secadm_t

sesearch -A -t secadm_t

> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to<= br> > Itanium systems, but we may have new hardware soon)
>
> Any tips. hints, pointers etc... would be very helpfull.
>
> Thanks for your time,

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk03RYsACgkQrlYvE4MpobPxeQCfYZFtvY0/6oiB0kCUhZfy8NBe
1isAoI2+zCfveZJRpCxIxeu+XAvcjFcw
=3DvT6y
-----END PGP SIGNATURE-----

--20cf30434030237ee3049a39edc2-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p0JLldhf017849 for ; Wed, 19 Jan 2011 16:47:39 -0500 Received: from mx1.redhat.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id p0JLlcJu010609 for ; Wed, 19 Jan 2011 21:47:38 GMT Message-ID: <4D375BF8.2060100@redhat.com> Date: Wed, 19 Jan 2011 16:47:36 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: Qwyjibo Jones CC: selinux@tycho.nsa.gov Subject: Re: SELinux role separation References: <4D37458B.4050705@redhat.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: > I don't seem to have the "allow_sysadm_manage_security" boolean. Do I > need to create it somehow and put it under /selinux/booleans ? > > # getsebool -a | grep allow_sysadm_manage_security > # getsebool -a | grep allow_sysadm > # getsebool -a | grep sysadm > allow_httpd_sysadm_script_anon_write --> off > ssh_sysadm_login --> off > staff_read_sysadm_file --> off > xdm_sysadm_login --> off > > > > Thanks, > > On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh > wrote: > > On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > >> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >> installed. >> I am trying to understand how separation of roles works in SELinux/MLS >> policy version 21. We have been told that we need to separate > roles that >> the sys admin is no longer allowed to do. > >> After reading through these threads, in the archives I am still >> wondering about a couple things: > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > >> And this one: > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > >> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >> separation of sysadm_r and secadm_r roles: > >> a) Can the secadm_r role be the only role that can assign roles via >> semanage? > >> c) Can the secadm_r role be the only role that can control > files used >> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > auditadm_r:auditadm_t is only allowed to modify these files. > >> 2) Is this better accomplished with a combination of SUDO and SELinux? > Since sysadm_t can hack his way around the SELinux controls via tools > like rpm and fdisk, you are better off using sudo to further restrict > his actions, if possible. >> 3) How can I determine what secadm_r can do in the current >> configuration? can any of the CLI tools show me that? ( no gui tools >> available ) > > You probably want to look at secadm_t > > sesearch -A -t secadm_t > >> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >> Itanium systems, but we may have new hardware soon) > >> Any tips. hints, pointers etc... would be very helpfull. > >> Thanks for your time, > You are running on an MLS machine? seinfo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk03W/gACgkQrlYvE4MpobOhXACgjt4a2pHLgbfTRfUJTmhR2ALH 5VAAoIMbs+gV+YD8QlQFMv4oP9qiN5IX =nMTA -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p0JLpZSV018268 for ; Wed, 19 Jan 2011 16:51:37 -0500 Received: from mx1.redhat.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id p0JLpa67004902 for ; Wed, 19 Jan 2011 21:51:37 GMT Message-ID: <4D375CE6.7030107@redhat.com> Date: Wed, 19 Jan 2011 16:51:34 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: Qwyjibo Jones CC: selinux@tycho.nsa.gov Subject: Re: SELinux role separation References: <4D37458B.4050705@redhat.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: > I don't seem to have the "allow_sysadm_manage_security" boolean. Do I > need to create it somehow and put it under /selinux/booleans ? > > # getsebool -a | grep allow_sysadm_manage_security > # getsebool -a | grep allow_sysadm > # getsebool -a | grep sysadm > allow_httpd_sysadm_script_anon_write --> off > ssh_sysadm_login --> off > staff_read_sysadm_file --> off > xdm_sysadm_login --> off > > > > Thanks, > > On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh > wrote: > > On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > >> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >> installed. >> I am trying to understand how separation of roles works in SELinux/MLS >> policy version 21. We have been told that we need to separate > roles that >> the sys admin is no longer allowed to do. > >> After reading through these threads, in the archives I am still >> wondering about a couple things: > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > >> And this one: > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > >> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >> separation of sysadm_r and secadm_r roles: > >> a) Can the secadm_r role be the only role that can assign roles via >> semanage? > >> c) Can the secadm_r role be the only role that can control > files used >> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > auditadm_r:auditadm_t is only allowed to modify these files. > >> 2) Is this better accomplished with a combination of SUDO and SELinux? > Since sysadm_t can hack his way around the SELinux controls via tools > like rpm and fdisk, you are better off using sudo to further restrict > his actions, if possible. >> 3) How can I determine what secadm_r can do in the current >> configuration? can any of the CLI tools show me that? ( no gui tools >> available ) > > You probably want to look at secadm_t > > sesearch -A -t secadm_t > >> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >> Itanium systems, but we may have new hardware soon) > >> Any tips. hints, pointers etc... would be very helpfull. > >> Thanks for your time, > Oops I misread the policy, I guess we abandoned the separation. ifdef(`enable_mls',` userdom_security_administrator(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) # tunable_policy(`allow_sysadm_manage_security',` userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) # ') Missed the "#" at the beginning of the lines. So I don't think we prevent sysadm_t from managing the security, of course he has to be able to run at SystemHigh. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk03XOYACgkQrlYvE4MpobNWvACeO1Q8Rioee4mA8jHSUKWyDFkI hHgAn2hf4+hRA36bn2urfI3ezlKNK/+O =h3mZ -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p0KDhY9a001964 for ; Thu, 20 Jan 2011 08:43:34 -0500 Received: from mail-yi0-f53.google.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id p0KDhXW2029836 for ; Thu, 20 Jan 2011 13:43:33 GMT Received: by yib17 with SMTP id 17so177619yib.12 for ; Thu, 20 Jan 2011 05:43:33 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <4D375CE6.7030107@redhat.com> References: <4D37458B.4050705@redhat.com> <4D375CE6.7030107@redhat.com> Date: Thu, 20 Jan 2011 08:43:33 -0500 Message-ID: Subject: Re: SELinux role separation From: Qwyjibo Jones To: Daniel J Walsh Cc: selinux@tycho.nsa.gov Content-Type: multipart/alternative; boundary=00151757093ad7557e049a475135 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --00151757093ad7557e049a475135 Content-Type: text/plain; charset=ISO-8859-1 Thanks for the info... On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: > > I don't seem to have the "allow_sysadm_manage_security" boolean. Do I > > need to create it somehow and put it under /selinux/booleans ? > > > > # getsebool -a | grep allow_sysadm_manage_security > > # getsebool -a | grep allow_sysadm > > # getsebool -a | grep sysadm > > allow_httpd_sysadm_script_anon_write --> off > > ssh_sysadm_login --> off > > staff_read_sysadm_file --> off > > xdm_sysadm_login --> off > > > > > > > > Thanks, > > > > On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh > > wrote: > > > > On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > > > >> I am currently working with an Itanium2 system which has RHEL 5.3 MLS > >> installed. > >> I am trying to understand how separation of roles works in SELinux/MLS > >> policy version 21. We have been told that we need to separate > > roles that > >> the sys admin is no longer allowed to do. > > > >> After reading through these threads, in the archives I am still > >> wondering about a couple things: > > > > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > > >> And this one: > > > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > > >> 1) Is the RHEL 5.x MLS policy version 21 capable of the following > >> separation of sysadm_r and secadm_r roles: > > > >> a) Can the secadm_r role be the only role that can assign roles via > >> semanage? > > > >> c) Can the secadm_r role be the only role that can control > > files used > >> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > > > auditadm_r:auditadm_t is only allowed to modify these files. > > > >> 2) Is this better accomplished with a combination of SUDO and SELinux? > > Since sysadm_t can hack his way around the SELinux controls via tools > > like rpm and fdisk, you are better off using sudo to further restrict > > his actions, if possible. > >> 3) How can I determine what secadm_r can do in the current > >> configuration? can any of the CLI tools show me that? ( no gui tools > >> available ) > > > > You probably want to look at secadm_t > > > > sesearch -A -t secadm_t > > > >> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to > >> Itanium systems, but we may have new hardware soon) > > > >> Any tips. hints, pointers etc... would be very helpfull. > > > >> Thanks for your time, > > > Oops I misread the policy, I guess we abandoned the separation. > > > ifdef(`enable_mls',` > userdom_security_administrator(secadm_t,secadm_r,{ > secadm_tty_device_t sysadm_devpts_t }) > # tunable_policy(`allow_sysadm_manage_security',` > > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > # ') > > > Missed the "#" at the beginning of the lines. So I don't think we > prevent sysadm_t from managing the security, of course he has to be able > to run at SystemHigh. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk03XOYACgkQrlYvE4MpobNWvACeO1Q8Rioee4mA8jHSUKWyDFkI > hHgAn2hf4+hRA36bn2urfI3ezlKNK/+O > =h3mZ > -----END PGP SIGNATURE----- > --00151757093ad7557e049a475135 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Thanks for the info...


On Wed, Jan 19= , 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/19/2011 04:44 PM, Qwyjibo Jones wrote:
> I don't seem to have the "allow_sysadm_manage_security" = boolean. Do I
> need to create it somehow and put it under /selinux/booleans ?
>
> # getsebool -a | grep allow_sysadm_manage_security
> # getsebool -a | grep allow_sysadm
> # getsebool -a | grep sysadm
> allow_httpd_sysadm_script_anon_write --> off
> ssh_sysadm_login --> off
> staff_read_sysadm_file --> off
> xdm_sysadm_login --> off
>
>
>
> Thanks,
>
> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> On 01/18/2011 01:03 PM, Qwyjib= o Jones wrote:
>
>> I am currently working with an Itanium2 system which has RHEL 5.3 = MLS
>> installed.
>> I am trying to understand how separation of roles works in SELinux= /MLS
>> policy version 21. We have been told that we need to separate
> roles that
>> the sys admin is no longer allowed to do.
>
>> After reading through these threads, in the archives I am still >> wondering about a couple things:
>
>
> http://www.nsa.gov/research/selinux= /list-archive/0504/thread_body66.shtml#11082
>
>> And this one:
>
> http://www.nsa.gov/research/selinux/list-= archive/0802/thread_body60.shtml
>
>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following<= br> >> separation of sysadm_r and secadm_r roles:
>
>> =A0 =A0a) Can the secadm_r role be the only role that can assign r= oles via
>> semanage?
>
>> =A0 =A0c) Can the secadm_r role be the only role that can control<= br> > files used
>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc= ...
>
> auditadm_r:auditadm_t is only allowed to modify these files.
>
>> 2) Is this better accomplished with a combination of SUDO and SELi= nux?
> Since sysadm_t can hack his way around the SELinux controls via tools<= br> > like rpm and fdisk, you are better off using sudo to further restrict<= br> > his actions, if possible.
>> 3) How can I determine what secadm_r can do in the current
>> configuration? can any of the CLI tools show me that? ( no gui too= ls
>> available )
>
> You probably want to look at secadm_t
>
> sesearch -A -t secadm_t
>
>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available= to
>> Itanium systems, but we may have new hardware soon)
>
>> Any tips. hints, pointers etc... would be very helpfull.
>
>> Thanks for your time,
>
Oops I misread the policy, =A0I guess we abandoned the separati= on.


=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ifdef(`enable_mls',`
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0userdom_security_administra= tor(secadm_t,secadm_r,{
secadm_tty_device_t sysadm_devpts_t })
# =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 tunable_policy(`allow_sysadm_= manage_security',`
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0userdom_sec= urity_administrator(sysadm_t,sysadm_r,admin_terminal)
# =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ')


Missed the "#" at the beginning of the lines. =A0So I don't t= hink we
prevent sysadm_t from managing the security, of course he has to be able to run at SystemHigh.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk03XOYACgkQrlYvE4MpobNWvACeO1Q8Rioee4mA8jHSUKWyDFkI
hHgAn2hf4+hRA36bn2urfI3ezlKNK/+O
=3Dh3mZ
-----END PGP SIGNATURE-----

--00151757093ad7557e049a475135-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p0KDjpwO002174 for ; Thu, 20 Jan 2011 08:45:51 -0500 Received: from mail-gw0-f53.google.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id p0KDjaW2000111 for ; Thu, 20 Jan 2011 13:45:36 GMT Received: by gwb10 with SMTP id 10so168609gwb.12 for ; Thu, 20 Jan 2011 05:45:36 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <4D375CE6.7030107@redhat.com> References: <4D37458B.4050705@redhat.com> <4D375CE6.7030107@redhat.com> Date: Thu, 20 Jan 2011 08:45:35 -0500 Message-ID: Subject: Re: SELinux role separation From: Qwyjibo Jones To: Daniel J Walsh Cc: selinux@tycho.nsa.gov Content-Type: multipart/alternative; boundary=00151757093a2164e0049a475905 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --00151757093a2164e0049a475905 Content-Type: text/plain; charset=ISO-8859-1 Sorry, one more question... Does the MLS policy shipped with RHEL 6 have the separation? Thanks, On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: > > I don't seem to have the "allow_sysadm_manage_security" boolean. Do I > > need to create it somehow and put it under /selinux/booleans ? > > > > # getsebool -a | grep allow_sysadm_manage_security > > # getsebool -a | grep allow_sysadm > > # getsebool -a | grep sysadm > > allow_httpd_sysadm_script_anon_write --> off > > ssh_sysadm_login --> off > > staff_read_sysadm_file --> off > > xdm_sysadm_login --> off > > > > > > > > Thanks, > > > > On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh > > wrote: > > > > On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > > > >> I am currently working with an Itanium2 system which has RHEL 5.3 MLS > >> installed. > >> I am trying to understand how separation of roles works in SELinux/MLS > >> policy version 21. We have been told that we need to separate > > roles that > >> the sys admin is no longer allowed to do. > > > >> After reading through these threads, in the archives I am still > >> wondering about a couple things: > > > > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > > >> And this one: > > > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > > >> 1) Is the RHEL 5.x MLS policy version 21 capable of the following > >> separation of sysadm_r and secadm_r roles: > > > >> a) Can the secadm_r role be the only role that can assign roles via > >> semanage? > > > >> c) Can the secadm_r role be the only role that can control > > files used > >> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > > > auditadm_r:auditadm_t is only allowed to modify these files. > > > >> 2) Is this better accomplished with a combination of SUDO and SELinux? > > Since sysadm_t can hack his way around the SELinux controls via tools > > like rpm and fdisk, you are better off using sudo to further restrict > > his actions, if possible. > >> 3) How can I determine what secadm_r can do in the current > >> configuration? can any of the CLI tools show me that? ( no gui tools > >> available ) > > > > You probably want to look at secadm_t > > > > sesearch -A -t secadm_t > > > >> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to > >> Itanium systems, but we may have new hardware soon) > > > >> Any tips. hints, pointers etc... would be very helpfull. > > > >> Thanks for your time, > > > Oops I misread the policy, I guess we abandoned the separation. > > > ifdef(`enable_mls',` > userdom_security_administrator(secadm_t,secadm_r,{ > secadm_tty_device_t sysadm_devpts_t }) > # tunable_policy(`allow_sysadm_manage_security',` > > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > # ') > > > Missed the "#" at the beginning of the lines. So I don't think we > prevent sysadm_t from managing the security, of course he has to be able > to run at SystemHigh. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk03XOYACgkQrlYvE4MpobNWvACeO1Q8Rioee4mA8jHSUKWyDFkI > hHgAn2hf4+hRA36bn2urfI3ezlKNK/+O > =h3mZ > -----END PGP SIGNATURE----- > --00151757093a2164e0049a475905 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sorry, one more question...

Does the MLS policy shipped with RHEL 6 = have the separation?

Thanks,

On We= d, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/19/2011 04:44 PM, Qwyjibo Jones wrote:
> I don't seem to have the "allow_sysadm_manage_security" = boolean. Do I
> need to create it somehow and put it under /selinux/booleans ?
>
> # getsebool -a | grep allow_sysadm_manage_security
> # getsebool -a | grep allow_sysadm
> # getsebool -a | grep sysadm
> allow_httpd_sysadm_script_anon_write --> off
> ssh_sysadm_login --> off
> staff_read_sysadm_file --> off
> xdm_sysadm_login --> off
>
>
>
> Thanks,
>
> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> On 01/18/2011 01:03 PM, Qwyjib= o Jones wrote:
>
>> I am currently working with an Itanium2 system which has RHEL 5.3 = MLS
>> installed.
>> I am trying to understand how separation of roles works in SELinux= /MLS
>> policy version 21. We have been told that we need to separate
> roles that
>> the sys admin is no longer allowed to do.
>
>> After reading through these threads, in the archives I am still >> wondering about a couple things:
>
>
> http://www.nsa.gov/research/selinux= /list-archive/0504/thread_body66.shtml#11082
>
>> And this one:
>
> http://www.nsa.gov/research/selinux/list-= archive/0802/thread_body60.shtml
>
>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following<= br> >> separation of sysadm_r and secadm_r roles:
>
>> =A0 =A0a) Can the secadm_r role be the only role that can assign r= oles via
>> semanage?
>
>> =A0 =A0c) Can the secadm_r role be the only role that can control<= br> > files used
>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc= ...
>
> auditadm_r:auditadm_t is only allowed to modify these files.
>
>> 2) Is this better accomplished with a combination of SUDO and SELi= nux?
> Since sysadm_t can hack his way around the SELinux controls via tools<= br> > like rpm and fdisk, you are better off using sudo to further restrict<= br> > his actions, if possible.
>> 3) How can I determine what secadm_r can do in the current
>> configuration? can any of the CLI tools show me that? ( no gui too= ls
>> available )
>
> You probably want to look at secadm_t
>
> sesearch -A -t secadm_t
>
>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available= to
>> Itanium systems, but we may have new hardware soon)
>
>> Any tips. hints, pointers etc... would be very helpfull.
>
>> Thanks for your time,
>
Oops I misread the policy, =A0I guess we abandoned the separati= on.


=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ifdef(`enable_mls',`
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0userdom_security_administra= tor(secadm_t,secadm_r,{
secadm_tty_device_t sysadm_devpts_t })
# =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 tunable_policy(`allow_sysadm_= manage_security',`
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0userdom_sec= urity_administrator(sysadm_t,sysadm_r,admin_terminal)
# =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ')


Missed the "#" at the beginning of the lines. =A0So I don't t= hink we
prevent sysadm_t from managing the security, of course he has to be able to run at SystemHigh.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk03XOYACgkQrlYvE4MpobNWvACeO1Q8Rioee4mA8jHSUKWyDFkI
hHgAn2hf4+hRA36bn2urfI3ezlKNK/+O
=3Dh3mZ
-----END PGP SIGNATURE-----

--00151757093a2164e0049a475905-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p0KEM08U004697 for ; Thu, 20 Jan 2011 09:22:00 -0500 Received: from mx1.redhat.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id p0KELxW2006705 for ; Thu, 20 Jan 2011 14:22:00 GMT Message-ID: <4D384504.6010603@redhat.com> Date: Thu, 20 Jan 2011 09:21:56 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: Qwyjibo Jones CC: selinux@tycho.nsa.gov Subject: Re: SELinux role separation References: <4D37458B.4050705@redhat.com> <4D375CE6.7030107@redhat.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/20/2011 08:45 AM, Qwyjibo Jones wrote: > Sorry, one more question... > > Does the MLS policy shipped with RHEL 6 have the separation? > > Thanks, > > On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh > wrote: > > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: >> I don't seem to have the "allow_sysadm_manage_security" boolean. Do I >> need to create it somehow and put it under /selinux/booleans ? > >> # getsebool -a | grep allow_sysadm_manage_security >> # getsebool -a | grep allow_sysadm >> # getsebool -a | grep sysadm >> allow_httpd_sysadm_script_anon_write --> off >> ssh_sysadm_login --> off >> staff_read_sysadm_file --> off >> xdm_sysadm_login --> off > > > >> Thanks, > >> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh >> >> wrote: > >> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > >>> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >>> installed. >>> I am trying to understand how separation of roles works in > SELinux/MLS >>> policy version 21. We have been told that we need to separate >> roles that >>> the sys admin is no longer allowed to do. > >>> After reading through these threads, in the archives I am still >>> wondering about a couple things: > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > >>> And this one: > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > >>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >>> separation of sysadm_r and secadm_r roles: > >>> a) Can the secadm_r role be the only role that can assign > roles via >>> semanage? > >>> c) Can the secadm_r role be the only role that can control >> files used >>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > >> auditadm_r:auditadm_t is only allowed to modify these files. > >>> 2) Is this better accomplished with a combination of SUDO and > SELinux? >> Since sysadm_t can hack his way around the SELinux controls via tools >> like rpm and fdisk, you are better off using sudo to further restrict >> his actions, if possible. >>> 3) How can I determine what secadm_r can do in the current >>> configuration? can any of the CLI tools show me that? ( no gui tools >>> available ) > >> You probably want to look at secadm_t > >> sesearch -A -t secadm_t > >>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >>> Itanium systems, but we may have new hardware soon) > >>> Any tips. hints, pointers etc... would be very helpfull. > >>> Thanks for your time, > > Oops I misread the policy, I guess we abandoned the separation. > > > ifdef(`enable_mls',` > > userdom_security_administrator(secadm_t,secadm_r,{ > secadm_tty_device_t sysadm_devpts_t }) > # tunable_policy(`allow_sysadm_manage_security',` > > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > # ') > > > Missed the "#" at the beginning of the lines. So I don't think we > prevent sysadm_t from managing the security, of course he has to be able > to run at SystemHigh. > RHEL6 MLS Policy for separation is pretty much the same. We are just working on certification now, hopefully for 6.1. There is a lot more policy that works with MLS in RHEL6 including some desktop features, although we will be certifying server only, I believe. Others might build a MLS desktop based on RHEL6. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk04RQAACgkQrlYvE4MpobMSsgCg2tGDK2RvLrb7nv8gvCzX+mMq F/YAoIu4Cp3JtIYrZL5IeEJRuF1mZWrj =BL/v -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p0KENeqD004906 for ; Thu, 20 Jan 2011 09:23:40 -0500 Received: from mx1.redhat.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id p0KENcbq024960 for ; Thu, 20 Jan 2011 14:23:39 GMT Message-ID: <4D384567.1030104@redhat.com> Date: Thu, 20 Jan 2011 09:23:35 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: Qwyjibo Jones CC: selinux@tycho.nsa.gov Subject: Re: SELinux role separation References: <4D37458B.4050705@redhat.com> <4D375CE6.7030107@redhat.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/20/2011 08:45 AM, Qwyjibo Jones wrote: > Sorry, one more question... > > Does the MLS policy shipped with RHEL 6 have the separation? > > Thanks, > > On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh > wrote: > > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: >> I don't seem to have the "allow_sysadm_manage_security" boolean. Do I >> need to create it somehow and put it under /selinux/booleans ? > >> # getsebool -a | grep allow_sysadm_manage_security >> # getsebool -a | grep allow_sysadm >> # getsebool -a | grep sysadm >> allow_httpd_sysadm_script_anon_write --> off >> ssh_sysadm_login --> off >> staff_read_sysadm_file --> off >> xdm_sysadm_login --> off > > > >> Thanks, > >> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh >> >> wrote: > >> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > >>> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >>> installed. >>> I am trying to understand how separation of roles works in > SELinux/MLS >>> policy version 21. We have been told that we need to separate >> roles that >>> the sys admin is no longer allowed to do. > >>> After reading through these threads, in the archives I am still >>> wondering about a couple things: > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > >>> And this one: > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > >>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >>> separation of sysadm_r and secadm_r roles: > >>> a) Can the secadm_r role be the only role that can assign > roles via >>> semanage? > >>> c) Can the secadm_r role be the only role that can control >> files used >>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > >> auditadm_r:auditadm_t is only allowed to modify these files. > >>> 2) Is this better accomplished with a combination of SUDO and > SELinux? >> Since sysadm_t can hack his way around the SELinux controls via tools >> like rpm and fdisk, you are better off using sudo to further restrict >> his actions, if possible. >>> 3) How can I determine what secadm_r can do in the current >>> configuration? can any of the CLI tools show me that? ( no gui tools >>> available ) > >> You probably want to look at secadm_t > >> sesearch -A -t secadm_t > >>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >>> Itanium systems, but we may have new hardware soon) > >>> Any tips. hints, pointers etc... would be very helpfull. > >>> Thanks for your time, > > Oops I misread the policy, I guess we abandoned the separation. > > > ifdef(`enable_mls',` > > userdom_security_administrator(secadm_t,secadm_r,{ > secadm_tty_device_t sysadm_devpts_t }) > # tunable_policy(`allow_sysadm_manage_security',` > > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > # ') > > > Missed the "#" at the beginning of the lines. So I don't think we > prevent sysadm_t from managing the security, of course he has to be able > to run at SystemHigh. > One idea would be to build the separation into a separate module sysadm_secadm.pp then you could disable this module and take away the power of sysadm to do security administration. How important is this? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk04RWcACgkQrlYvE4MpobNgkwCgrpfXVA3VACrLFueZjW6V5Gko YRsAoJsGGp76ODNFPSIhpl24h4D5KA6A =Ae9m -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p0KH5R6N018147 for ; Thu, 20 Jan 2011 12:05:27 -0500 Received: from mail-yx0-f181.google.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id p0KH5Qsm009124 for ; Thu, 20 Jan 2011 17:05:27 GMT Received: by yxd39 with SMTP id 39so261639yxd.12 for ; Thu, 20 Jan 2011 09:05:26 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <4D384567.1030104@redhat.com> References: <4D37458B.4050705@redhat.com> <4D375CE6.7030107@redhat.com> <4D384567.1030104@redhat.com> Date: Thu, 20 Jan 2011 12:05:26 -0500 Message-ID: Subject: Re: SELinux role separation From: Qwyjibo Jones To: Daniel J Walsh Cc: selinux@tycho.nsa.gov Content-Type: multipart/alternative; boundary=00163628354ed70bfd049a4a23c0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --00163628354ed70bfd049a4a23c0 Content-Type: text/plain; charset=ISO-8859-1 Okay, We aren't using any desktop right now. this system is a headless server. As for how important... Well if you ask me, (the sysadmin), I would say not very. But alas it is not up to me. I will have to get the customer (Govt) to tell me how much they need this. Perhaps I can get them to wait until 6.1 comes out since they are thinking of a hardware refresh anyhow. My current policy skills are probably insufficient to the task of making the policy you described. I can use audit2allow pretty well tho... :) Thanks, On Thu, Jan 20, 2011 at 9:23 AM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/20/2011 08:45 AM, Qwyjibo Jones wrote: > > Sorry, one more question... > > > > Does the MLS policy shipped with RHEL 6 have the separation? > > > > Thanks, > > > > On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh > > wrote: > > > > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: > >> I don't seem to have the "allow_sysadm_manage_security" boolean. Do I > >> need to create it somehow and put it under /selinux/booleans ? > > > >> # getsebool -a | grep allow_sysadm_manage_security > >> # getsebool -a | grep allow_sysadm > >> # getsebool -a | grep sysadm > >> allow_httpd_sysadm_script_anon_write --> off > >> ssh_sysadm_login --> off > >> staff_read_sysadm_file --> off > >> xdm_sysadm_login --> off > > > > > > > >> Thanks, > > > >> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh > > >> >> wrote: > > > >> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > > > >>> I am currently working with an Itanium2 system which has RHEL 5.3 MLS > >>> installed. > >>> I am trying to understand how separation of roles works in > > SELinux/MLS > >>> policy version 21. We have been told that we need to separate > >> roles that > >>> the sys admin is no longer allowed to do. > > > >>> After reading through these threads, in the archives I am still > >>> wondering about a couple things: > > > > > > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > > >>> And this one: > > > > > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > > >>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following > >>> separation of sysadm_r and secadm_r roles: > > > >>> a) Can the secadm_r role be the only role that can assign > > roles via > >>> semanage? > > > >>> c) Can the secadm_r role be the only role that can control > >> files used > >>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > > >> auditadm_r:auditadm_t is only allowed to modify these files. > > > >>> 2) Is this better accomplished with a combination of SUDO and > > SELinux? > >> Since sysadm_t can hack his way around the SELinux controls via tools > >> like rpm and fdisk, you are better off using sudo to further restrict > >> his actions, if possible. > >>> 3) How can I determine what secadm_r can do in the current > >>> configuration? can any of the CLI tools show me that? ( no gui tools > >>> available ) > > > >> You probably want to look at secadm_t > > > >> sesearch -A -t secadm_t > > > >>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to > >>> Itanium systems, but we may have new hardware soon) > > > >>> Any tips. hints, pointers etc... would be very helpfull. > > > >>> Thanks for your time, > > > > Oops I misread the policy, I guess we abandoned the separation. > > > > > > ifdef(`enable_mls',` > > > > userdom_security_administrator(secadm_t,secadm_r,{ > > secadm_tty_device_t sysadm_devpts_t }) > > # tunable_policy(`allow_sysadm_manage_security',` > > > > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > > # ') > > > > > > Missed the "#" at the beginning of the lines. So I don't think we > > prevent sysadm_t from managing the security, of course he has to be able > > to run at SystemHigh. > > > One idea would be to build the separation into a separate module > sysadm_secadm.pp then you could disable this module and take away the > power of sysadm to do security administration. How important is this? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk04RWcACgkQrlYvE4MpobNgkwCgrpfXVA3VACrLFueZjW6V5Gko > YRsAoJsGGp76ODNFPSIhpl24h4D5KA6A > =Ae9m > -----END PGP SIGNATURE----- > --00163628354ed70bfd049a4a23c0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Okay,

We aren't using any desktop right now. this system is a he= adless server.

As for how important... Well if you ask me, (the sys= admin), I would say not very. But alas it is not up to me. I will have to g= et the customer (Govt) to tell me how much they need this. Perhaps I can ge= t them to wait until 6.1 comes out since they are thinking of a hardware re= fresh anyhow.

My current policy skills are probably insufficient to the task of makin= g the policy you described. I can use audit2allow pretty well tho... :)
=
Thanks,

On Thu, Jan 20, 2011 at 9:23 = AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/20/2011 08:45 AM, Qwyjibo Jones wrote:
> Sorry, one more question...
>
> Does the MLS policy shipped with RHEL 6 have the separation?
>
> Thanks,
>
> On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> On 01/19/2011 04:44 PM, Qwyjibo Jones wrote:
>> I don't seem to have the "allow_sysadm_manage_security&qu= ot; boolean. Do I
>> need to create it somehow and put it under /selinux/booleans ?
>
>> # getsebool -a | grep allow_sysadm_manage_security
>> # getsebool -a | grep allow_sysadm
>> # getsebool -a | grep sysadm
>> allow_httpd_sysadm_script_anon_write --> off
>> ssh_sysadm_login --> off
>> staff_read_sysadm_file --> off
>> xdm_sysadm_login --> off
>
>
>
>> Thanks,
>
>> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com&= gt;
>> <mailto:dwalsh@redhat.com <mailto:dwalsh@redhat.com>>> wrote:
>
>> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote:
>
>>> I am currently working with an Itanium2 system which has RHEL = 5.3 MLS
>>> installed.
>>> I am trying to understand how separation of roles works in
> SELinux/MLS
>>> policy version 21. We have been told that we need to separate<= br> >> roles that
>>> the sys admin is no longer allowed to do.
>
>>> After reading through these threads, in the archives I am stil= l
>>> wondering about a couple things:
>
>
>
> http://www.nsa.gov/research/selinux= /list-archive/0504/thread_body66.shtml#11082
>
>>> And this one:
>
>
> http://www.nsa.gov/research/selinux/list-= archive/0802/thread_body60.shtml
>
>>> 1) Is the RHEL 5.x MLS policy version 21 capable of the follow= ing
>>> separation of sysadm_r and secadm_r roles:
>
>>> =A0 =A0a) Can the secadm_r role be the only role that can assi= gn
> roles via
>>> semanage?
>
>>> =A0 =A0c) Can the secadm_r role be the only role that can cont= rol
>> files used
>>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd= etc...
>
>> auditadm_r:auditadm_t is only allowed to modify these files.
>
>>> 2) Is this better accomplished with a combination of SUDO and<= br> > SELinux?
>> Since sysadm_t can hack his way around the SELinux controls via to= ols
>> like rpm and fdisk, you are better off using sudo to further restr= ict
>> his actions, if possible.
>>> 3) How can I determine what secadm_r can do in the current
>>> configuration? can any of the CLI tools show me that? ( no gui= tools
>>> available )
>
>> You probably want to look at secadm_t
>
>> sesearch -A -t secadm_t
>
>>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not avail= able to
>>> Itanium systems, but we may have new hardware soon)
>
>>> Any tips. hints, pointers etc... would be very helpfull.
>
>>> Thanks for your time,
>
> Oops I misread the policy, =A0I guess we abandoned the separation.
>
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ifdef(`enable_mls',`
>
> =A0userdom_security_administrator(secadm_t,secadm_r,{
> secadm_tty_device_t sysadm_devpts_t })
> # =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 tunable_policy(`allow_sy= sadm_manage_security',`
>
> =A0userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > # =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ')
>
>
> Missed the "#" at the beginning of the lines. =A0So I don= 9;t think we
> prevent sysadm_t from managing the security, of course he has to be ab= le
> to run at SystemHigh.
>
One idea would be to build the separation into a separate modul= e
sysadm_secadm.pp then you could disable this module and take away the
power of sysadm to do security administration. How important is this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk04RWcACgkQrlYvE4MpobNgkwCgrpfXVA3VACrLFueZjW6V5Gko
YRsAoJsGGp76ODNFPSIhpl24h4D5KA6A
=3DAe9m
-----END PGP SIGNATURE-----

--00163628354ed70bfd049a4a23c0-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p1JEQXMV028085 for ; Sat, 19 Feb 2011 09:26:33 -0500 Received: from mail-gy0-f181.google.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id p1JEQWlL028133 for ; Sat, 19 Feb 2011 14:26:32 GMT Received: by gyd10 with SMTP id 10so13660gyd.12 for ; Sat, 19 Feb 2011 06:26:32 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: <4D37458B.4050705@redhat.com> <4D375CE6.7030107@redhat.com> <4D384567.1030104@redhat.com> Date: Sat, 19 Feb 2011 09:25:16 -0500 Message-ID: Subject: Re: SELinux role separation From: Qwyjibo Jones To: Daniel J Walsh Cc: selinux@tycho.nsa.gov Content-Type: multipart/alternative; boundary=20cf30433d8442f139049ca3666d Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --20cf30433d8442f139049ca3666d Content-Type: text/plain; charset=ISO-8859-1 Just as a follow up to this thread. This is an important feature to the customer. My team has managed to differ this until a later release. Hopefully one of the 6.x versions. They like SELinux MLS because *so far* their, Solaris TX and ZFS systems cannot label data at rest. They have TX systems that they want to migrate away from. Thanks for the help On Thu, Jan 20, 2011 at 12:05 PM, Qwyjibo Jones wrote: > Okay, > > We aren't using any desktop right now. this system is a headless server. > > As for how important... Well if you ask me, (the sysadmin), I would say not > very. But alas it is not up to me. I will have to get the customer (Govt) to > tell me how much they need this. Perhaps I can get them to wait until 6.1 > comes out since they are thinking of a hardware refresh anyhow. > > My current policy skills are probably insufficient to the task of making > the policy you described. I can use audit2allow pretty well tho... :) > > Thanks, > > > On Thu, Jan 20, 2011 at 9:23 AM, Daniel J Walsh wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/20/2011 08:45 AM, Qwyjibo Jones wrote: >> > Sorry, one more question... >> > >> > Does the MLS policy shipped with RHEL 6 have the separation? >> > >> > Thanks, >> > >> > On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh > > > wrote: >> > >> > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: >> >> I don't seem to have the "allow_sysadm_manage_security" boolean. Do I >> >> need to create it somehow and put it under /selinux/booleans ? >> > >> >> # getsebool -a | grep allow_sysadm_manage_security >> >> # getsebool -a | grep allow_sysadm >> >> # getsebool -a | grep sysadm >> >> allow_httpd_sysadm_script_anon_write --> off >> >> ssh_sysadm_login --> off >> >> staff_read_sysadm_file --> off >> >> xdm_sysadm_login --> off >> > >> > >> > >> >> Thanks, >> > >> >> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh > > >> >> >> wrote: >> > >> >> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: >> > >> >>> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >> >>> installed. >> >>> I am trying to understand how separation of roles works in >> > SELinux/MLS >> >>> policy version 21. We have been told that we need to separate >> >> roles that >> >>> the sys admin is no longer allowed to do. >> > >> >>> After reading through these threads, in the archives I am still >> >>> wondering about a couple things: >> > >> > >> > >> > >> http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 >> > >> >>> And this one: >> > >> > >> > >> http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml >> > >> >>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >> >>> separation of sysadm_r and secadm_r roles: >> > >> >>> a) Can the secadm_r role be the only role that can assign >> > roles via >> >>> semanage? >> > >> >>> c) Can the secadm_r role be the only role that can control >> >> files used >> >>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... >> > >> >> auditadm_r:auditadm_t is only allowed to modify these files. >> > >> >>> 2) Is this better accomplished with a combination of SUDO and >> > SELinux? >> >> Since sysadm_t can hack his way around the SELinux controls via tools >> >> like rpm and fdisk, you are better off using sudo to further restrict >> >> his actions, if possible. >> >>> 3) How can I determine what secadm_r can do in the current >> >>> configuration? can any of the CLI tools show me that? ( no gui tools >> >>> available ) >> > >> >> You probably want to look at secadm_t >> > >> >> sesearch -A -t secadm_t >> > >> >>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >> >>> Itanium systems, but we may have new hardware soon) >> > >> >>> Any tips. hints, pointers etc... would be very helpfull. >> > >> >>> Thanks for your time, >> > >> > Oops I misread the policy, I guess we abandoned the separation. >> > >> > >> > ifdef(`enable_mls',` >> > >> > userdom_security_administrator(secadm_t,secadm_r,{ >> > secadm_tty_device_t sysadm_devpts_t }) >> > # tunable_policy(`allow_sysadm_manage_security',` >> > >> > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) >> > # ') >> > >> > >> > Missed the "#" at the beginning of the lines. So I don't think we >> > prevent sysadm_t from managing the security, of course he has to be able >> > to run at SystemHigh. >> > >> One idea would be to build the separation into a separate module >> sysadm_secadm.pp then you could disable this module and take away the >> power of sysadm to do security administration. How important is this? >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.11 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAk04RWcACgkQrlYvE4MpobNgkwCgrpfXVA3VACrLFueZjW6V5Gko >> YRsAoJsGGp76ODNFPSIhpl24h4D5KA6A >> =Ae9m >> -----END PGP SIGNATURE----- >> > > --20cf30433d8442f139049ca3666d Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Just as a follow up to this thread.

This is an important feature to= the customer. My team has managed to differ this until a later release. Ho= pefully one of the 6.x versions.
They like SELinux MLS because so fa= r their, Solaris TX and ZFS systems cannot label data at rest. They hav= e TX systems that they want to migrate away from.

Thanks for the help


On Thu, Jan 2= 0, 2011 at 12:05 PM, Qwyjibo Jones <qwyjibojones@gmail.com> wrote:
Okay,

We aren't using any desktop right now. this system is a he= adless server.

As for how important... Well if you ask me, (the sys= admin), I would say not very. But alas it is not up to me. I will have to g= et the customer (Govt) to tell me how much they need this. Perhaps I can ge= t them to wait until 6.1 comes out since they are thinking of a hardware re= fresh anyhow.

My current policy skills are probably insufficient to the task of makin= g the policy you described. I can use audit2allow pretty well tho... :)
=
Thanks,


On Thu, Jan 20, 2011 at 9:23 AM, Daniel J Walsh <dwalsh@redhat.com>= wrote:
-----BEGIN P= GP SIGNED MESSAGE-----
Hash: SHA1

On 01/20/2011 08:45 AM, Qwyjibo Jones wrote:
> Sorry, one more question...
>
> Does the MLS policy shipped with RHEL 6 have the separation?
>
> Thanks,
>
> On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> On 01/19/2011 04:44 PM, Qwyjibo Jones wrote:
>> I don't seem to have the "allow_sysadm_manage_security&qu= ot; boolean. Do I
>> need to create it somehow and put it under /selinux/booleans ?
>
>> # getsebool -a | grep allow_sysadm_manage_security
>> # getsebool -a | grep allow_sysadm
>> # getsebool -a | grep sysadm
>> allow_httpd_sysadm_script_anon_write --> off
>> ssh_sysadm_login --> off
>> staff_read_sysadm_file --> off
>> xdm_sysadm_login --> off
>
>
>
>> Thanks,
>
>> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwal= sh@redhat.com>
>> <mailto:dwalsh@redhat.com <mailto:dwalsh@redhat.com>>> w= rote:
>
>> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote:
>
>>> I am currently working with an Itanium2 system which has RHEL = 5.3 MLS
>>> installed.
>>> I am trying to understand how separation of roles works in
> SELinux/MLS
>>> policy version 21. We have been told that we need to separate<= br> >> roles that
>>> the sys admin is no longer allowed to do.
>
>>> After reading through these threads, in the archives I am stil= l
>>> wondering about a couple things:
>
>
>
> http://www.nsa.gov/research/selinux= /list-archive/0504/thread_body66.shtml#11082
>
>>> And this one:
>
>
> http://www.nsa.gov/research/selinux/list-= archive/0802/thread_body60.shtml
>
>>> 1) Is the RHEL 5.x MLS policy version 21 capable of the follow= ing
>>> separation of sysadm_r and secadm_r roles:
>
>>> =A0 =A0a) Can the secadm_r role be the only role that can assi= gn
> roles via
>>> semanage?
>
>>> =A0 =A0c) Can the secadm_r role be the only role that can cont= rol
>> files used
>>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd= etc...
>
>> auditadm_r:auditadm_t is only allowed to modify these files.
>
>>> 2) Is this better accomplished with a combination of SUDO and<= br> > SELinux?
>> Since sysadm_t can hack his way around the SELinux controls via to= ols
>> like rpm and fdisk, you are better off using sudo to further restr= ict
>> his actions, if possible.
>>> 3) How can I determine what secadm_r can do in the current
>>> configuration? can any of the CLI tools show me that? ( no gui= tools
>>> available )
>
>> You probably want to look at secadm_t
>
>> sesearch -A -t secadm_t
>
>>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not avail= able to
>>> Itanium systems, but we may have new hardware soon)
>
>>> Any tips. hints, pointers etc... would be very helpfull.
>
>>> Thanks for your time,
>
> Oops I misread the policy, =A0I guess we abandoned the separation.
>
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ifdef(`enable_mls',`
>
> =A0userdom_security_administrator(secadm_t,secadm_r,{
> secadm_tty_device_t sysadm_devpts_t })
> # =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 tunable_policy(`allow_sy= sadm_manage_security',`
>
> =A0userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > # =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ')
>
>
> Missed the "#" at the beginning of the lines. =A0So I don= 9;t think we
> prevent sysadm_t from managing the security, of course he has to be ab= le
> to run at SystemHigh.
>
One idea would be to build the separation into a separate modul= e
sysadm_secadm.pp then you could disable this module and take away the
power of sysadm to do security administration. How important is this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk04RWcACgkQrlYvE4MpobNgkwCgrpfXVA3VACrLFueZjW6V5Gko
YRsAoJsGGp76ODNFPSIhpl24h4D5KA6A
=3DAe9m
-----END PGP SIGNATURE-----


--20cf30433d8442f139049ca3666d-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.