From: Daniel J Walsh <dwalsh@redhat.com>
To: Qwyjibo Jones <qwyjibojones@gmail.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: SELinux role separation
Date: Thu, 20 Jan 2011 09:21:56 -0500 [thread overview]
Message-ID: <4D384504.6010603@redhat.com> (raw)
In-Reply-To: <AANLkTi=7qtTjmVPDrVyDX0OiX1QbG3CzYXAtsT8L-von@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/20/2011 08:45 AM, Qwyjibo Jones wrote:
> Sorry, one more question...
>
> Does the MLS policy shipped with RHEL 6 have the separation?
>
> Thanks,
>
> On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> On 01/19/2011 04:44 PM, Qwyjibo Jones wrote:
>> I don't seem to have the "allow_sysadm_manage_security" boolean. Do I
>> need to create it somehow and put it under /selinux/booleans ?
>
>> # getsebool -a | grep allow_sysadm_manage_security
>> # getsebool -a | grep allow_sysadm
>> # getsebool -a | grep sysadm
>> allow_httpd_sysadm_script_anon_write --> off
>> ssh_sysadm_login --> off
>> staff_read_sysadm_file --> off
>> xdm_sysadm_login --> off
>
>
>
>> Thanks,
>
>> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>
>> <mailto:dwalsh@redhat.com <mailto:dwalsh@redhat.com>>> wrote:
>
>> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote:
>
>>> I am currently working with an Itanium2 system which has RHEL 5.3 MLS
>>> installed.
>>> I am trying to understand how separation of roles works in
> SELinux/MLS
>>> policy version 21. We have been told that we need to separate
>> roles that
>>> the sys admin is no longer allowed to do.
>
>>> After reading through these threads, in the archives I am still
>>> wondering about a couple things:
>
>
>
> http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082
>
>>> And this one:
>
>
> http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml
>
>>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following
>>> separation of sysadm_r and secadm_r roles:
>
>>> a) Can the secadm_r role be the only role that can assign
> roles via
>>> semanage?
>
>>> c) Can the secadm_r role be the only role that can control
>> files used
>>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc...
>
>> auditadm_r:auditadm_t is only allowed to modify these files.
>
>>> 2) Is this better accomplished with a combination of SUDO and
> SELinux?
>> Since sysadm_t can hack his way around the SELinux controls via tools
>> like rpm and fdisk, you are better off using sudo to further restrict
>> his actions, if possible.
>>> 3) How can I determine what secadm_r can do in the current
>>> configuration? can any of the CLI tools show me that? ( no gui tools
>>> available )
>
>> You probably want to look at secadm_t
>
>> sesearch -A -t secadm_t
>
>>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to
>>> Itanium systems, but we may have new hardware soon)
>
>>> Any tips. hints, pointers etc... would be very helpfull.
>
>>> Thanks for your time,
>
> Oops I misread the policy, I guess we abandoned the separation.
>
>
> ifdef(`enable_mls',`
>
> userdom_security_administrator(secadm_t,secadm_r,{
> secadm_tty_device_t sysadm_devpts_t })
> # tunable_policy(`allow_sysadm_manage_security',`
>
> userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
> # ')
>
>
> Missed the "#" at the beginning of the lines. So I don't think we
> prevent sysadm_t from managing the security, of course he has to be able
> to run at SystemHigh.
>
RHEL6 MLS Policy for separation is pretty much the same. We are just
working on certification now, hopefully for 6.1. There is a lot more
policy that works with MLS in RHEL6 including some desktop features,
although we will be certifying server only, I believe. Others might
build a MLS desktop based on RHEL6.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk04RQAACgkQrlYvE4MpobMSsgCg2tGDK2RvLrb7nv8gvCzX+mMq
F/YAoIu4Cp3JtIYrZL5IeEJRuF1mZWrj
=BL/v
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-01-20 14:22 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-18 18:03 SELinux role separation Qwyjibo Jones
2011-01-19 19:29 ` Stephen Smalley
2011-01-19 20:11 ` Daniel J Walsh
2011-01-19 21:44 ` Qwyjibo Jones
2011-01-19 21:47 ` Daniel J Walsh
2011-01-19 21:51 ` Daniel J Walsh
2011-01-20 13:43 ` Qwyjibo Jones
2011-01-20 13:45 ` Qwyjibo Jones
2011-01-20 14:21 ` Daniel J Walsh [this message]
2011-01-20 14:23 ` Daniel J Walsh
2011-01-20 17:05 ` Qwyjibo Jones
2011-02-19 14:25 ` Qwyjibo Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D384504.6010603@redhat.com \
--to=dwalsh@redhat.com \
--cc=qwyjibojones@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.