2010-11-17 12:54:03

by Roberto Sassu

[permalink] [raw]
Subject: [refpolicy] SELinux UBAC question

Sorry, i'm resending it because first time it was rejected by the
refpolicy at oss.tresys.com mailing list.


Hi all

i'm using the Fedora 13 operating system with shipped SELinux policy.
I want to add a basic protection for regular users by using the UBAC feature and
letting them to log on the system with the confined domain 'user_t'.
A problem that i have found when using the policy with this feature enabled
is that root logs on the system with user 'unconfined_u' or 'root' and files created
or updated after doing an administrative task cannot be accessed by regular users.
In order to have the system working i have to execute root processes that
make changes on the system with user 'system_u'.
One solution to overcome this issue may be to add an exception to the policy,
as done for the 'system_u' user, so that UBAC will be applied only to SELinux users
tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u'
unprotected.
Does this is the right way to modify the policy in order to enforce the protection
required or there are other alternatives?
Thanks in advance for replies.

Roberto Sassu


2010-11-17 13:39:39

by cpebenito

[permalink] [raw]
Subject: [refpolicy] SELinux UBAC question

On 11/17/10 07:54, Roberto Sassu wrote:
> i'm using the Fedora 13 operating system with shipped SELinux policy.
> I want to add a basic protection for regular users by using the UBAC feature and
> letting them to log on the system with the confined domain 'user_t'.
> A problem that i have found when using the policy with this feature enabled
> is that root logs on the system with user 'unconfined_u' or 'root' and files created
> or updated after doing an administrative task cannot be accessed by regular users.
> In order to have the system working i have to execute root processes that
> make changes on the system with user 'system_u'.

This should only be the case for user files and domains. Other system
files, such as those in /etc, should be unaffected.

> One solution to overcome this issue may be to add an exception to the policy,
> as done for the 'system_u' user, so that UBAC will be applied only to SELinux users
> tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u'
> unprotected.
> Does this is the right way to modify the policy in order to enforce the protection
> required or there are other alternatives?

It depends on your security goals. If that still meets your goals, then
yes. I would not include this upstream as it requires separation of all
users.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com