From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] How to give _admin rights?
Date: Thu, 09 Aug 2012 14:50:19 -0400 [thread overview]
Message-ID: <5024066B.9080206@redhat.com> (raw)
In-Reply-To: <20120809183851.GA2643@siphos.be>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/09/2012 02:38 PM, Sven Vermeulen wrote:
> Hi guys,
>
> Currently all administration I do is handled through the sysadm_r:sysadm_t
> context. As a result, I never needed to explicitly grant an admin interface
> (like nscd_admin) to a specific role.
>
> I'm now trying to allow a role (be it user_r, staff_r or a newly created
> role) to (re)start the NSCD init script (which is labeled
> nscd_initrc_exec_t) so I thought it would be sufficient to just add in:
> nscd_admin(staff_t, staff_r)
>
> However, a user (SELinux user staff_u) doesn't seem to be able to really
> use it properly, unless I also give that user the root password (which I
> don't) for the run_init command...
>
> I've tried: ~$ /etc/init.d/nscd status -bash: /etc/init.d/nscd:
> /sbin/runscript: bad interpreter: Permission denied which is because of:
> security_compute_sid: invalid context staff_u:system_r:initrc_t for
> scontext=staff_u:staff_r:staff_t
> tcontext=system_u:object_r:nscd_initrc_exec_t tclass=process
>
> I've tried: ~$ /usr/sbin/run_init /etc/init.d/nscd status Authenticating
> oper. Password: Could not set exec context to system_u:system_r:initrc_t
> which is because of: avc: denied { setexec } for pid=18505 comm="run_init"
> scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:staff_t
> tclass=process
>
> I've tried: ~$ sudo /usr/sbin/run_init /etc/init.d/nscd status but then,
> after authenticating, run_init asks for the root password which I don't
> want to grant.
>
> I've tried: ~$ sudo /etc/init.d/nscd status sudo: unable to execute
> /etc/init.d/nscd: Permission denied For this I don't know what is causing
> this - only see the standard denials (rlimitinh, noatsecure, ...) and a
> getattr on a tty device.
>
> It it "normal" that I would need to allow setexec for the user domain?
>
> What is the correct way to, once a role/user is defined, grant him the
> _admin interface and have him start/stop the init scripts?
>
> Wkr, Sven Vermeulen _______________________________________________
> refpolicy mailing list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
What OS are you seeing this on?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAkBmsACgkQrlYvE4MpobP53gCggEL0SK5vtlCeRHgnAUKpAmKD
mpIAoMkmepAq3LYXh7/5lEcEoxSuHiJi
=0YHe
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2012-08-09 18:50 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-09 18:38 [refpolicy] How to give _admin rights? Sven Vermeulen
2012-08-09 18:50 ` Daniel J Walsh [this message]
2012-08-09 18:57 ` Sven Vermeulen
2012-08-09 18:58 ` Christopher J. PeBenito
2012-08-10 12:50 ` Daniel J Walsh
2012-08-10 17:05 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5024066B.9080206@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.