From: kaigai@ak.jp.nec.com (KaiGai Kohei)
Date: Fri, 09 Apr 2010 14:29:54 +0900
Subject: [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not
 available in selinux-policy package)
In-Reply-To: <4BBDC8E5.1050307@redhat.com>
References: <4BBD28D0.8080204@ak.jp.nec.com>	<20100408082729.GE25042@localhost.localdomain>
	<4BBDC8E5.1050307@redhat.com>
Message-ID: <4BBEBB52.9090907@ak.jp.nec.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

(2010/04/08 21:15), Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> As Dominick stated.  I prefer to think in terms of two different roles.
>   Login Roles, and Roles to execute in when you have privileges (IE Root).
> 
> Login Roles/Types
> staff_t, user_t, unconfined_t, xguest_t, guest_t
> 
> Three interfaces can be used to create confined login users.
> 
> userdom_restricted_user_template(guest)
> userdom_restricted_xwindows_user_template(xguest)
> userdom_unpriv_user_template(staff)
> 
> 
> Admin Roles/Types
> logadm_t, webadm_t, secadm_t, auditadm_t
> 
> The following interface can be used to create an Admin ROle
> userdom_base_user_template(logadm)
> 
> 
> sysadm_t is sort of a hybrid, most people use it as an Admin Role.
> 
> 
> I imagine that you login as a confined user and then use sudo/newrole to
> switch roles to one of the admin roles.

The attached patch revises roles/dbadm.te (to be applied on the upstream
reference policy). It uses userdom_base_user_template() instead of the
userdom_unpriv_user_template(), and should be launched via sudo/newrole.
In the default, it intends the dbadm_r role to be launched by staff_r role.

What I did)
[root at saba ~]# semodule -i ~kaigai/repo/refpolicy/policy/modules/roles/dbadm.pp
[root at saba ~]# semanage user -m -P user -r s0-s0:c0.c1023 -R "dbadm_r staff_r system_r" ymj_u
[root at saba ~]# semanage login -a -s ymj_u ymj

[root at saba ~]# echo "ymj ALL=(ALL) TYPE=dbadm_t ROLE=dbadm_r NOPASSWD:/sbin/service" >> /etc/sudoers

[root at saba ~]# cp /etc/selinux/targeted/contexts/users/staff_u \
                  /etc/selinux/targeted/contexts/users/ymj_u

[root at saba ~]# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
webadm_u        user       s0         s0                             webadm_r
xguest_u        user       s0         s0                             xguest_r
ymj_u           user       s0         s0-s0:c0.c1023                 dbadm_r staff_r system_r
[root at saba ~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
ymj                       ymj_u                     s0

[root at saba ~]# ssh ymj at localhost
ymj at localhost's password:
Last login: Fri Apr  9 13:59:32 2010 from localhost
[ymj at saba ~]$ id -Z
ymj_u:staff_r:staff_t:s0

[ymj at saba ~]$ sudo service sepostgresql restart
Stopping sepostgresql service:                             [  OK  ]
Starting sepostgresql service:                             [  OK  ]

[ymj at saba ~]$ ps -AZ | grep sepostgres
ymj_u:system_r:postgresql_t:s0   1171 ?        00:00:01 sepostgres
ymj_u:system_r:postgresql_t:s0   1176 ?        00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0   1177 ?        00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0   1178 ?        00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0   1179 ?        00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0   1180 ?        00:00:00 sepostgres

[ymj at saba ~]$ newrole -r dbadm_r -t dbadm_t
Password:
[ymj at saba ~]$ psql postgres
psql (8.4.3, server 9.0alpha5)
WARNING: psql version 8.4, server version 9.0.
         Some psql features might not work.
Type "help" for help.

postgres=> SELECT sepgsql_getcon();
      sepgsql_getcon
--------------------------
 ymj_u:dbadm_r:dbadm_t:s0
(1 row)

postgres=> CREATE TABLE my_table (a int, b text);
CREATE TABLE
postgres=> SELECT * FROM my_table;
ERROR:  SELinux: security policy violation

> Of course you are free to design your own system creating fully login
> admin roles. Or creating addinitional non admin user roles.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZPjtHNqI5Jf3UHRs
> Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd
> =q1nL
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 


-- 
KaiGai Kohei <kaigai@ak.jp.nec.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-dbadm-revise.1.patch
Type: text/x-patch
Size: 1827 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100409/b4a9094c/attachment.bin