From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4E5E7757.5030007@roboreus.com> Date: Wed, 31 Aug 2011 19:03:03 +0100 From: Roy Badami MIME-Version: 1.0 To: Stephen Smalley CC: selinux@tycho.nsa.gov Subject: Re: CentOS 5 RBAC References: <4E5E68DB.1030101@roboreus.com> <1314810951.6850.26.camel@moss-pluto> In-Reply-To: <1314810951.6850.26.camel@moss-pluto> Content-Type: multipart/alternative; boundary="------------030706040408020905040600" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This is a multi-part message in MIME format. --------------030706040408020905040600 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit [Resending after accidentally dropping cc to the list] On 31/08/2011 18:15, Stephen Smalley wrote: > The logic in selinux_set_enforce_mode() in > policy/modules/kernel/selinux.if is: > ... > if(!secure_mode_policyload) { > allow $1 security_t:security setenforce; > ... > } > > Notice the logical negation (!) in the above if statement. > Ah, thank you! I had looked at those lines ealier, without fully understanding how the policy fitted together. Indeed, I set secure_mode_policyload to 'on' based on that code to fix the fact that root could still run setenforce, even without changing role to secadm_r. But unfortuantely, I see now, the reason root could run setenforce without changing to secadm_r is that root gets sysadm_r by default - and changing secure_mode_loadpolicy prevents *both* sysadm_r *and* secadm_r from administering policy - which wasn't what I was trying to achieve. ifdef(`enable_mls',` userdom_security_administrator(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) # tunable_policy(`allow_sysadm_manage_security',` userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) # ') If the allow_sysadm_manage_security boolean was implemented in this policy then I could simply set that to 'off'. Given it's not - what's the best way to grant this permission to secadm_r only? Presumably I want to set secure_mode_loadpolicy to 'on' as now so that the shipped policy doesn't give permissions, and then load some custom TE rules to add the necessary permissions for secadm_r to administer security policy? Regards roy -- Roy Badami Roboreus Ltd 1 New Oxford Street London WC1A 1NU --------------030706040408020905040600 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
[Resending after accidentally dropping cc to the list]

On 31/08/2011 18:15, Stephen Smalley wrote:
The logic = in selinux_set_enforce_mode() in
policy/modules/kernel/selinux.if is:
...
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if(!secure_mode_policyload) = {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 allow $1 security_t:security setenforce;
...
}

Notice the logical negation (!) in the above if statement.


Ah, thank you!=C2=A0 I had looked at those lines ealier, without fu= lly understanding how the policy fitted together.=C2=A0 Indeed, I set=C2= =A0 secure_mode_policyload to 'on' based on that code to fix the fact that root could still run setenforce, even without changing role to secadm_r.=C2=A0 But unfortuantely, I see now, the reason root co= uld run setenforce without changing to secadm_r is that root gets sysadm_r by default - and changing secure_mode_loadpolicy prevents *both<= span class=3D"moz-txt-tag">* sysadm_r *and* secadm_r from administering policy - which wasn't what I was trying to achieve.

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 ifdef(`enable_mls',`
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 userdom_security_administrator(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
#=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 tunable_policy(`allow_sysadm_manage_security',`
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
#=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ')

If the allow_sysadm_manage_security boolean was implemented in this policy then I could simply set that to 'off'.=C2=A0=C2=A0 Give= n it's not - what's the best way to grant this permission to secadm_r only?=C2=A0 Presumably I want to set secure_mode_loadpolicy to 'on'= as now so that the shipped policy doesn't give permissions, and then load some custom TE rules to add the necessary permissions for secadm_r to administer security policy?

Regards

roy




--=C2=A0
Roy Badami
Roboreus Ltd
1 New Oxford Street
London WC1A 1NU

--------------030706040408020905040600-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.