From: kaigai@ak.jp.nec.com (KaiGai Kohei) Date: Fri, 09 Apr 2010 14:29:54 +0900 Subject: [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package) In-Reply-To: <4BBDC8E5.1050307@redhat.com> References: <4BBD28D0.8080204@ak.jp.nec.com> <20100408082729.GE25042@localhost.localdomain> <4BBDC8E5.1050307@redhat.com> Message-ID: <4BBEBB52.9090907@ak.jp.nec.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com (2010/04/08 21:15), Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > As Dominick stated. I prefer to think in terms of two different roles. > Login Roles, and Roles to execute in when you have privileges (IE Root). > > Login Roles/Types > staff_t, user_t, unconfined_t, xguest_t, guest_t > > Three interfaces can be used to create confined login users. > > userdom_restricted_user_template(guest) > userdom_restricted_xwindows_user_template(xguest) > userdom_unpriv_user_template(staff) > > > Admin Roles/Types > logadm_t, webadm_t, secadm_t, auditadm_t > > The following interface can be used to create an Admin ROle > userdom_base_user_template(logadm) > > > sysadm_t is sort of a hybrid, most people use it as an Admin Role. > > > I imagine that you login as a confined user and then use sudo/newrole to > switch roles to one of the admin roles. The attached patch revises roles/dbadm.te (to be applied on the upstream reference policy). It uses userdom_base_user_template() instead of the userdom_unpriv_user_template(), and should be launched via sudo/newrole. In the default, it intends the dbadm_r role to be launched by staff_r role. What I did) [root at saba ~]# semodule -i ~kaigai/repo/refpolicy/policy/modules/roles/dbadm.pp [root at saba ~]# semanage user -m -P user -r s0-s0:c0.c1023 -R "dbadm_r staff_r system_r" ymj_u [root at saba ~]# semanage login -a -s ymj_u ymj [root at saba ~]# echo "ymj ALL=(ALL) TYPE=dbadm_t ROLE=dbadm_r NOPASSWD:/sbin/service" >> /etc/sudoers [root at saba ~]# cp /etc/selinux/targeted/contexts/users/staff_u \ /etc/selinux/targeted/contexts/users/ymj_u [root at saba ~]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r webadm_u user s0 s0 webadm_r xguest_u user s0 s0 xguest_r ymj_u user s0 s0-s0:c0.c1023 dbadm_r staff_r system_r [root at saba ~]# semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 ymj ymj_u s0 [root at saba ~]# ssh ymj at localhost ymj at localhost's password: Last login: Fri Apr 9 13:59:32 2010 from localhost [ymj at saba ~]$ id -Z ymj_u:staff_r:staff_t:s0 [ymj at saba ~]$ sudo service sepostgresql restart Stopping sepostgresql service: [ OK ] Starting sepostgresql service: [ OK ] [ymj at saba ~]$ ps -AZ | grep sepostgres ymj_u:system_r:postgresql_t:s0 1171 ? 00:00:01 sepostgres ymj_u:system_r:postgresql_t:s0 1176 ? 00:00:00 sepostgres ymj_u:system_r:postgresql_t:s0 1177 ? 00:00:00 sepostgres ymj_u:system_r:postgresql_t:s0 1178 ? 00:00:00 sepostgres ymj_u:system_r:postgresql_t:s0 1179 ? 00:00:00 sepostgres ymj_u:system_r:postgresql_t:s0 1180 ? 00:00:00 sepostgres [ymj at saba ~]$ newrole -r dbadm_r -t dbadm_t Password: [ymj at saba ~]$ psql postgres psql (8.4.3, server 9.0alpha5) WARNING: psql version 8.4, server version 9.0. Some psql features might not work. Type "help" for help. postgres=> SELECT sepgsql_getcon(); sepgsql_getcon -------------------------- ymj_u:dbadm_r:dbadm_t:s0 (1 row) postgres=> CREATE TABLE my_table (a int, b text); CREATE TABLE postgres=> SELECT * FROM my_table; ERROR: SELinux: security policy violation > Of course you are free to design your own system creating fully login > admin roles. Or creating addinitional non admin user roles. > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZPjtHNqI5Jf3UHRs > Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd > =q1nL > -----END PGP SIGNATURE----- > -- > selinux mailing list > selinux at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- KaiGai Kohei -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-dbadm-revise.1.patch Type: text/x-patch Size: 1827 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100409/b4a9094c/attachment.bin