Re: CentOS 5 RBAC

[Roy Badami <roy.badami@roboreus.com>]

[-- Attachment #1: Type: text/plain, Size: 1797 bytes --]

[Resending after accidentally dropping cc to the list]

On 31/08/2011 18:15, Stephen Smalley wrote:
> The logic in selinux_set_enforce_mode() in
> policy/modules/kernel/selinux.if is:
> ...
>        if(!secure_mode_policyload) {
>                  allow $1 security_t:security setenforce;
> ...
> }
>
> Notice the logical negation (!) in the above if statement.
>

Ah, thank you!  I had looked at those lines ealier, without fully 
understanding how the policy fitted together.  Indeed, I set  
secure_mode_policyload to 'on' based on that code to fix the fact that 
root could still run setenforce, even without changing role to 
secadm_r.  But unfortuantely, I see now, the reason root could run 
setenforce without changing to secadm_r is that root gets sysadm_r by 
default - and changing secure_mode_loadpolicy prevents *both* sysadm_r 
*and* secadm_r from administering policy - which wasn't what I was 
trying to achieve.

                 ifdef(`enable_mls',`
                         
userdom_security_administrator(secadm_t,secadm_r,{ secadm_tty_device_t 
sysadm_devpts_t })
#                       tunable_policy(`allow_sysadm_manage_security',`
                                 
userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
#                       ')

If the allow_sysadm_manage_security boolean was implemented in this 
policy then I could simply set that to 'off'.   Given it's not - what's 
the best way to grant this permission to secadm_r only?  Presumably I 
want to set secure_mode_loadpolicy to 'on' as now so that the shipped 
policy doesn't give permissions, and then load some custom TE rules to 
add the necessary permissions for secadm_r to administer security policy?

Regards

roy




-- 
Roy Badami
Roboreus Ltd
1 New Oxford Street
London WC1A 1NU


[-- Attachment #2: Type: text/html, Size: 3409 bytes --]