From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] How to give _admin rights?
Date: Thu, 9 Aug 2012 14:58:49 -0400 [thread overview]
Message-ID: <50240869.2070602@tresys.com> (raw)
In-Reply-To: <20120809183851.GA2643@siphos.be>
On 08/09/12 14:38, Sven Vermeulen wrote:
> Hi guys,
>
> Currently all administration I do is handled through the sysadm_r:sysadm_t
> context. As a result, I never needed to explicitly grant an admin interface
> (like nscd_admin) to a specific role.
>
> I'm now trying to allow a role (be it user_r, staff_r or a newly created
> role) to (re)start the NSCD init script (which is labeled
> nscd_initrc_exec_t) so I thought it would be sufficient to just add in:
> nscd_admin(staff_t, staff_r)
>
> However, a user (SELinux user staff_u) doesn't seem to be able to really use
> it properly, unless I also give that user the root password (which I don't)
> for the run_init command...
There's a couple things going on here, which center around a clash between run_init and labeled init scripts:
> I've tried:
> ~$ /etc/init.d/nscd status
> -bash: /etc/init.d/nscd: /sbin/runscript: bad interpreter:
> Permission denied
> which is because of:
> security_compute_sid: invalid context staff_u:system_r:initrc_t for
> scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:nscd_initrc_exec_t
> tclass=process
Fails because there was no transition to run_init_t. It needs something like seutil_init_script_run_runinit(), but only for using nscd_initrc_exec_t for the run_init_t entrypoint.
> I've tried:
> ~$ /usr/sbin/run_init /etc/init.d/nscd status
> Authenticating oper.
> Password:
> Could not set exec context to system_u:system_r:initrc_t
> which is because of:
> avc: denied { setexec } for pid=18505 comm="run_init"
> scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:staff_t
> tclass=process
Same thing, but instead needs seutil_run_runinit(). But this exposes that with run_init right now, the usage of init labeled init scripts falls on its face, because when you're in run_init_t, it can transition to initrc_t using any entrypoint. Run_init would need to be enhanced to do some extra checks to see if you're permitted to run the script.
[cut]
> It it "normal" that I would need to allow setexec for the user domain?
No.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2012-08-09 18:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-09 18:38 [refpolicy] How to give _admin rights? Sven Vermeulen
2012-08-09 18:50 ` Daniel J Walsh
2012-08-09 18:57 ` Sven Vermeulen
2012-08-09 18:58 ` Christopher J. PeBenito [this message]
2012-08-10 12:50 ` Daniel J Walsh
2012-08-10 17:05 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50240869.2070602@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.