Re: MLS Not enforcing secadm and auditadm

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Kurt.Nelson@gtri.gatech.edu
Cc: selinux@tycho.nsa.gov
Subject: Re: MLS Not enforcing secadm and auditadm
Date: Wed, 06 Jul 2011 15:17:00 -0400	[thread overview]
Message-ID: <4E14B4AC.9000905@redhat.com> (raw)
In-Reply-To: <BC2F7132E56EEE4E864092975C1447BA730123@apatlisdmbx02>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/06/2011 08:42 AM, Kurt.Nelson@gtri.gatech.edu wrote:
> I?m setting up a RHEL6 box with MLS and am having issues with it
> enforcing the use of roles. Secadm_r and auditadm_r are not required to
> run setenforce or semanage and no role is able to write in /etc/audit/
> at all. The IRC channel seems to believe there is an issue with the
> ifndef(?enable_mls?? not triggering.
> 
>  
> 
> [root@hatch ~]$ id -Z
> 
> staff_u:sysadm_r:sysadm_t:s0
> 
>  
> 
> [knelson6@hatch ~]$ ls -Z /usr/sbin/semanage
> 
> -rwxr-xr-x. root root system_u:object_r:semanage_exec_t:s0
> /usr/sbin/semanage
> 
>  
> 
> [knelson6@hatch ~]$ sestatus
> 
> SELinux status:                 enabled
> 
> SELinuxfs mount:                /selinux
> 
> Current mode:                   enforcing
> 
> Mode from config file:          enforcing
> 
> Policy version:                 24
> 
> Policy from config file:        mls
> 
>  
> 
> [root@hatch ~]# sesearch --allow -s sysadm_t -t semanage_exec_t -c file
> -p execute
> 
> Found 3 semantic av rules:
> 
>    allow sysadm_t application_exec_type : file { ioctl read getattr lock
> execute execute_no_trans open } ;
> 
>    allow sysadm_usertype application_exec_type : file { ioctl read
> getattr lock execute execute_no_trans open } ;
> 
>    allow sysadm_t semanage_exec_t : file { ioctl read write create
> getattr setattr lock relabelfrom relabelto append unlink link rename
> execute open } ;
> 
>  
> 
> [root@hatch ~]# sesearch -SCT --allow -s sysadm_t -t semanage_exec_t
> 
> Found 11 semantic av rules:
> 
>    allow sysadm_t application_exec_type : file { ioctl read getattr lock
> execute execute_no_trans open } ;
> 
>    allow sysadm_t file_type : filesystem getattr ;
> 
>    allow sysadm_usertype application_exec_type : file { ioctl read
> getattr lock execute execute_no_trans open } ;
> 
>    allow sysadm_usertype file_type : filesystem getattr ;
> 
>    allow sysadm_t semanage_exec_t : file { ioctl read write create
> getattr setattr lock relabelfrom relabelto append unlink link rename
> execute open } ;
> 
>    allow sysadm_t semanage_exec_t : dir { ioctl read write create
> getattr setattr lock relabelfrom relabelto unlink link rename add_name
> remove_name reparent search rmdir open } ;
> 
>    allow sysadm_t semanage_exec_t : lnk_file { ioctl read write create
> getattr setattr lock relabelfrom relabelto append unlink link rename } ;
> 
>    allow sysadm_t semanage_exec_t : chr_file { getattr relabelfrom
> relabelto } ;
> 
>    allow sysadm_t semanage_exec_t : blk_file { getattr relabelfrom
> relabelto } ;
> 
>    allow sysadm_t semanage_exec_t : sock_file { ioctl read write create
> getattr setattr lock relabelfrom relabelto append unlink link rename
> open } ;
> 
>    allow sysadm_t semanage_exec_t : fifo_file { ioctl read write create
> getattr setattr lock relabelfrom relabelto append unlink link rename
> open } ;
> 
>  
> 
> Found 1 semantic te rules:
> 
>    type_transition sysadm_t semanage_exec_t : process semanage_t;
> 
> --
> 
> Kurt Nelson
> 
> GTRI-STL IT Coop
> 
>  
> 
Did you destribute your own policy or are you using the RHEL6 MLS Policy?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4UtKwACgkQrlYvE4MpobMnhgCdEHw0Mc6ci02ZqdHs9cFTnq6w
/ukAnAuvjE2WsfkVCW4O1aqiNt/kUerV
=h8Dn
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

     prev parent reply	other threads:[~2011-07-06 19:17 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-06 12:42 MLS Not enforcing secadm and auditadm Kurt.Nelson
2011-07-06 13:08 ` Christopher J. PeBenito
2011-07-06 19:17 ` Daniel J Walsh [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E14B4AC.9000905@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=Kurt.Nelson@gtri.gatech.edu \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.