* Re: RBAC to SELinux policy migration
2012-09-03 22:41 RBAC to SELinux policy migration Marcel Butucea
@ 2012-09-03 22:59 ` Larry
2012-09-03 23:49 ` Casey Schaufler
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Larry @ 2012-09-03 22:59 UTC (permalink / raw)
To: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 09/03/2012 05:41 PM, Marcel Butucea wrote:
> Hello SELinux Team,
>
> As I am a beginner in deciphering the depths of SELinux I come to you
> with the following predicament in hope of guidance and help:
>
> We are migrating an application from Solaris to Linux and the main user
> is allowed, through the use of RBAC roles, to run a few system commands
> like svccfg/svcadm (chkconfig on redhat).
>
> Is it possible, using only SElinux (no sudo), to allow a normal user to
> run chkconfig off/on <service> (basically giving it the ability to
> add/remove services) ?(my ultimate goal would be to allow this user to
> run other "root-only" utilities as well). One of my concerns is that
> chkconfig might have some internal check for the uid of the calling
> user, ergo blocking this account from running the utility irrespective
> of my selinux policy, is my worry legitimate or am I imagining things ?
>
> My approach was to try to create an SElinux user with a corresponding
> SElinux role that manages the app's domain/type and is allowed to
> transition to all other domains required to run chkconfig, tcpdump or
> any other system utility usually restricted to root access only. All my
> attempts so far have failed, so my second question would be where could
> I find good documentation that applies to this specific problem ?
>
> Thank you for your support!
>
> Best Regards,
>
> Marcel
>
This seems like an issue better suited for sudo. Do you have a
limitation of some sort which is ruling out the use of sudo ?
- --
Larry Brower, CCNA
Fedora Ambassador - North America
Fedora Quality Assurance
lbrower@fedoraproject.org
http://www.fedoraproject.org/
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJQRTZsAAoJEPXCUD/44PWqUksQAMd9dApaqXxUKbS7EKMvtR7U
RDLG5QbMThuJpywSWejraM5WWyG+7iTqaP90lIRtntZPuS1qkKH65oPJiDZw7tX0
rXoQ9oFMwZAHXbuhEHUJQykQKNnN5euVmv8261wz/wPyVEdNCRRipA4UFyOzg3oa
DXAnlbWDKqoZ7t31ZwG5HKLEqwf9eSRATAT90Wx2FwvVznStukPvYtSfgiio6pYh
qk77yr23nCGNgq4b6G+yb9JfKV/SNyOBPLUkF0hQrk0YYURovvRjKe980i7DFkn+
WMUc9gFtlGO0zklFOOAR+HhY5FZ3rc12qQhrWOGtKfNT5j1VuH4q/w0Nf+XZV4lo
ZbdWL9yf7mNg7X1OnL4Gi5lL/q635FHGEnNrYi09kXAx/87dV511RrwCE9pNdMNe
y4KVEQ6ugQv+w+5DIddnz0XpBWMMxPskZwaOLIovM/mN7vnTALkoOQUhAC2iQ0Df
lQuudqqu2cL17Iy7abOC0B1Xqqwm2j9Hbl58Vw5l16LCzJxkHy+82upFIFjgpU05
5CzVccIVtWbnkNVWUw6HoiwrCY4N0N75KJ8zIqlP4DihwIAz20Tw7CBk2Ou47LO6
98lWpR2o4BmFBEWSWwSAjVUr7/jDQoAPNaFNnYR9myy0PPYod9NfRxsUh0uDUqg5
2ZGQPlldkQNCBIW8M29E
=SRFw
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: RBAC to SELinux policy migration
2012-09-03 22:41 RBAC to SELinux policy migration Marcel Butucea
2012-09-03 22:59 ` Larry
@ 2012-09-03 23:49 ` Casey Schaufler
2012-09-04 9:32 ` Ole Kliemann
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Casey Schaufler @ 2012-09-03 23:49 UTC (permalink / raw)
To: Marcel Butucea; +Cc: selinux, Casey Schaufler
[-- Attachment #1: Type: text/plain, Size: 1467 bytes --]
On 9/3/2012 3:41 PM, Marcel Butucea wrote:
>
> Hello SELinux Team,
>
> As I am a beginner in deciphering the depths of SELinux I come to you
> with the following predicament in hope of guidance and help:
>
> We are migrating an application from Solaris to Linux and the main
> user is allowed, through the use of RBAC roles, to run a few system
> commands like svccfg/svcadm (chkconfig on redhat).
>
> Is it possible, using only SElinux (no sudo), to allow a normal user
> to run chkconfig off/on <service> (basically giving it the ability to
> add/remove services) ?(my ultimate goal would be to allow this user to
> run other "root-only" utilities as well). One of my concerns is that
> chkconfig might have some internal check for the uid of the calling
> user, ergo blocking this account from running the utility irrespective
> of my selinux policy, is my worry legitimate or am I imagining things ?
>
You should look into capabilities, which do exactly what you want.
> My approach was to try to create an SElinux user with a corresponding
> SElinux role that manages the app's domain/type and is allowed to
> transition to all other domains required to run chkconfig, tcpdump or
> any other system utility usually restricted to root access only. All
> my attempts so far have failed, so my second question would be where
> could I find good documentation that applies to this specific problem ?
>
> Thank you for your support!
>
> Best Regards,
>
> Marcel
>
[-- Attachment #2: Type: text/html, Size: 4938 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: RBAC to SELinux policy migration
2012-09-03 22:41 RBAC to SELinux policy migration Marcel Butucea
2012-09-03 22:59 ` Larry
2012-09-03 23:49 ` Casey Schaufler
@ 2012-09-04 9:32 ` Ole Kliemann
2012-09-04 10:29 ` Marcel Butucea
2012-09-04 14:05 ` Stephen Smalley
4 siblings, 0 replies; 7+ messages in thread
From: Ole Kliemann @ 2012-09-04 9:32 UTC (permalink / raw)
To: Marcel Butucea; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 1629 bytes --]
On Mon, Sep 03, 2012 at 11:41:14PM +0100, Marcel Butucea wrote:
> Hello SELinux Team,
>
> As I am a beginner in deciphering the depths of SELinux I come to you with
> the following predicament in hope of guidance and help:
>
> We are migrating an application from Solaris to Linux and the main user is
> allowed, through the use of RBAC roles, to run a few system commands like
> svccfg/svcadm (chkconfig on redhat).
>
> Is it possible, using only SElinux (no sudo), to allow a normal user to run
> chkconfig off/on <service> (basically giving it the ability to add/remove
> services) ?(my ultimate goal would be to allow this user to run other
> "root-only" utilities as well). One of my concerns is that chkconfig might
> have some internal check for the uid of the calling user, ergo blocking
> this account from running the utility irrespective of my selinux policy, is
> my worry legitimate or am I imagining things ?
To clarify the question: You want a user (uid!=0) to perform
operations on the system the require uid==0?
In that case: SELinux is an independent addition to the
traditional linux permissions (DAC). If DAC requires you to have
uid==0, SELinux can't override that for you. In short: With
SELinux you can only deny stuff that was allowed, not allow what
was denied.
> All my
> attempts so far have failed, so my second question would be
> where could I
> find good documentation that applies to this specific problem ?
The only real documentation I know of is the 'SELinux Notebook'
by Richard Haines. It's a good reference. You might want to start
there.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: RBAC to SELinux policy migration
2012-09-03 22:41 RBAC to SELinux policy migration Marcel Butucea
` (2 preceding siblings ...)
2012-09-04 9:32 ` Ole Kliemann
@ 2012-09-04 10:29 ` Marcel Butucea
2012-09-04 14:33 ` Radzykewycz, T (Radzy)
2012-09-04 14:05 ` Stephen Smalley
4 siblings, 1 reply; 7+ messages in thread
From: Marcel Butucea @ 2012-09-04 10:29 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1935 bytes --]
Clarifying to avoid confusion:
1. I assumed I would be able to allow a user the ability to run system
utilities like tcpdump, chkconfig, etc. by using selinux (either by using
domain transitions or applying a sysadm_u context to the user or ...)
Is that correct ?
2. I am not sure capabilities can do that, my understanding was that they
work on a per file basis not per user.....
3. if the uid is checked by the utility I won't be able to workaround that
by means of selinux, right ?
Regards,
Marcel
On 3 September 2012 23:41, Marcel Butucea <marcelbutucea@gmail.com> wrote:
> Hello SELinux Team,
>
> As I am a beginner in deciphering the depths of SELinux I come to you with
> the following predicament in hope of guidance and help:
>
> We are migrating an application from Solaris to Linux and the main user is
> allowed, through the use of RBAC roles, to run a few system commands like
> svccfg/svcadm (chkconfig on redhat).
>
> Is it possible, using only SElinux (no sudo), to allow a normal user to
> run chkconfig off/on <service> (basically giving it the ability to
> add/remove services) ?(my ultimate goal would be to allow this user to run
> other "root-only" utilities as well). One of my concerns is that
> chkconfig might have some internal check for the uid of the calling user,
> ergo blocking this account from running the utility irrespective of my
> selinux policy, is my worry legitimate or am I imagining things ?
>
> My approach was to try to create an SElinux user with a corresponding
> SElinux role that manages the app's domain/type and is allowed to
> transition to all other domains required to run chkconfig, tcpdump or any
> other system utility usually restricted to root access only. All my
> attempts so far have failed, so my second question would be where could I
> find good documentation that applies to this specific problem ?
>
> Thank you for your support!
>
> Best Regards,
>
> Marcel
>
>
[-- Attachment #2: Type: text/html, Size: 5068 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread* RE: RBAC to SELinux policy migration
2012-09-04 10:29 ` Marcel Butucea
@ 2012-09-04 14:33 ` Radzykewycz, T (Radzy)
0 siblings, 0 replies; 7+ messages in thread
From: Radzykewycz, T (Radzy) @ 2012-09-04 14:33 UTC (permalink / raw)
To: Marcel Butucea, selinux@tycho.nsa.gov; +Cc: Radzykewycz, T (Radzy)
One thing that hasn't yet been mentioned:
Using DAC, you can always set the file permission on the utilities you need so that the SUID bit is set and the file is owned by root.
If you "chown root tcpdump ; chmod 4755 tcpdump", then anyone can execute tcpdump, regardless of their UID and without sudo.
You can then use SELinux to restrict that, so that only some users can use tcpdump, or put other restrictions on it.
This is not a pure SELinux solution, which is what you requested, though.
________________________________________
From: owner-selinux@tycho.nsa.gov [owner-selinux@tycho.nsa.gov] on behalf of Marcel Butucea [marcelbutucea@gmail.com]
Sent: Tuesday, September 04, 2012 3:29 AM
To: selinux@tycho.nsa.gov
Subject: Re: RBAC to SELinux policy migration
Clarifying to avoid confusion:
1. I assumed I would be able to allow a user the ability to run system utilities like tcpdump, chkconfig, etc. by using selinux (either by using domain transitions or applying a sysadm_u context to the user or ...)
Is that correct ?
2. I am not sure capabilities can do that, my understanding was that they work on a per file basis not per user.....
3. if the uid is checked by the utility I won't be able to workaround that by means of selinux, right ?
Regards,
Marcel
On 3 September 2012 23:41, Marcel Butucea <marcelbutucea@gmail.com<mailto:marcelbutucea@gmail.com>> wrote:
Hello SELinux Team,
As I am a beginner in deciphering the depths of SELinux I come to you with the following predicament in hope of guidance and help:
We are migrating an application from Solaris to Linux and the main user is allowed, through the use of RBAC roles, to run a few system commands like svccfg/svcadm (chkconfig on redhat).
Is it possible, using only SElinux (no sudo), to allow a normal user to run chkconfig off/on <service> (basically giving it the ability to add/remove services) ?(my ultimate goal would be to allow this user to run other "root-only" utilities as well). One of my concerns is that chkconfig might have some internal check for the uid of the calling user, ergo blocking this account from running the utility irrespective of my selinux policy, is my worry legitimate or am I imagining things ?
My approach was to try to create an SElinux user with a corresponding SElinux role that manages the app's domain/type and is allowed to transition to all other domains required to run chkconfig, tcpdump or any other system utility usually restricted to root access only. All my attempts so far have failed, so my second question would be where could I find good documentation that applies to this specific problem ?
Thank you for your support!
Best Regards,
Marcel
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: RBAC to SELinux policy migration
2012-09-03 22:41 RBAC to SELinux policy migration Marcel Butucea
` (3 preceding siblings ...)
2012-09-04 10:29 ` Marcel Butucea
@ 2012-09-04 14:05 ` Stephen Smalley
4 siblings, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2012-09-04 14:05 UTC (permalink / raw)
To: Marcel Butucea; +Cc: selinux, Daniel J Walsh
On Mon, 2012-09-03 at 23:41 +0100, Marcel Butucea wrote:
> Hello SELinux Team,
>
> As I am a beginner in deciphering the depths of SELinux I come to you
> with the following predicament in hope of guidance and help:
>
> We are migrating an application from Solaris to Linux and the main
> user is allowed, through the use of RBAC roles, to run a few system
> commands like svccfg/svcadm (chkconfig on redhat).
>
> Is it possible, using only SElinux (no sudo), to allow a normal user
> to run chkconfig off/on <service> (basically giving it the ability to
> add/remove services) ?(my ultimate goal would be to allow this user to
> run other "root-only" utilities as well). One of my concerns is that
> chkconfig might have some internal check for the uid of the calling
> user, ergo blocking this account from running the utility irrespective
> of my selinux policy, is my worry legitimate or am
> I imagining things ?
>
> My approach was to try to create an SElinux user with a corresponding
> SElinux role that manages the app's domain/type and is allowed to
> transition to all other domains required to run chkconfig, tcpdump or
> any other system utility usually restricted to root access only. All
> my attempts so far have failed, so my second question would be where
> could I find good documentation that applies to this specific
> problem ?
>
> Thank you for your support!
Not possible via SELinux alone, as presently we don't provide a way to
grant capabilities that would not otherwise be granted, only to further
restrict them. There were patches floated to support that kind of
functionality but they were shouted down by the mob.
So you need to use something else (sudo or file caps or whatever) to
first grant the capabilities, and then you can use SELinux to help lock
down the user to only what is required. sudo does have SELinux support
these days, both via command-line options and sudoers configuration.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread