Re: RBAC to SELinux policy migration

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca.com>
To: Marcel Butucea <marcelbutucea@gmail.com>
Cc: selinux@tycho.nsa.gov, Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: RBAC to SELinux policy migration
Date: Mon, 03 Sep 2012 16:49:18 -0700	[thread overview]
Message-ID: <504541FE.2010406@schaufler-ca.com> (raw)
In-Reply-To: <CADxHy9eYOVaVK22ZCi_UregXFwsOwtb1B=Tyygh=87tECsYwhg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1467 bytes --]

On 9/3/2012 3:41 PM, Marcel Butucea wrote:
>
> Hello SELinux Team,
>
> As I am a beginner in deciphering the depths of SELinux I come to you
> with the following predicament in hope of guidance and help:
>
> We are migrating an application from Solaris to Linux and the main
> user is allowed, through the use of RBAC roles, to run a few system
> commands like svccfg/svcadm (chkconfig on redhat).
>
> Is it possible, using only SElinux (no sudo), to allow a normal user
> to run chkconfig off/on <service> (basically giving it the ability to
> add/remove services) ?(my ultimate goal would be to allow this user to
> run other "root-only" utilities as well). One of my concerns is that
> chkconfig might have some internal check for the uid of the calling
> user, ergo blocking this account from running the utility irrespective
> of my selinux policy, is my worry legitimate or am I imagining things ?
>

You should look into capabilities, which do exactly what you want.

> My approach was to try to create an SElinux user with a corresponding
> SElinux role that manages the app's domain/type and is allowed to
> transition to all other domains required to run chkconfig, tcpdump or
> any other system utility usually restricted to root access only. All
> my attempts so far have failed, so my second question would be where
> could I find good documentation that applies to this specific problem ?
>
> Thank you for your support!
>
> Best Regards,
>
> Marcel
>


[-- Attachment #2: Type: text/html, Size: 4938 bytes --]

next prev parent reply	other threads:[~2012-09-03 23:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-03 22:41 RBAC to SELinux policy migration Marcel Butucea
2012-09-03 22:59 ` Larry
2012-09-03 23:49 ` Casey Schaufler [this message]
2012-09-04  9:32 ` Ole Kliemann
2012-09-04 10:29 ` Marcel Butucea
2012-09-04 14:33   ` Radzykewycz, T (Radzy)
2012-09-04 14:05 ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=504541FE.2010406@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=marcelbutucea@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.