From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 9 Aug 2012 14:58:49 -0400 Subject: [refpolicy] How to give _admin rights? In-Reply-To: <20120809183851.GA2643@siphos.be> References: <20120809183851.GA2643@siphos.be> Message-ID: <50240869.2070602@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/09/12 14:38, Sven Vermeulen wrote: > Hi guys, > > Currently all administration I do is handled through the sysadm_r:sysadm_t > context. As a result, I never needed to explicitly grant an admin interface > (like nscd_admin) to a specific role. > > I'm now trying to allow a role (be it user_r, staff_r or a newly created > role) to (re)start the NSCD init script (which is labeled > nscd_initrc_exec_t) so I thought it would be sufficient to just add in: > nscd_admin(staff_t, staff_r) > > However, a user (SELinux user staff_u) doesn't seem to be able to really use > it properly, unless I also give that user the root password (which I don't) > for the run_init command... There's a couple things going on here, which center around a clash between run_init and labeled init scripts: > I've tried: > ~$ /etc/init.d/nscd status > -bash: /etc/init.d/nscd: /sbin/runscript: bad interpreter: > Permission denied > which is because of: > security_compute_sid: invalid context staff_u:system_r:initrc_t for > scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:nscd_initrc_exec_t > tclass=process Fails because there was no transition to run_init_t. It needs something like seutil_init_script_run_runinit(), but only for using nscd_initrc_exec_t for the run_init_t entrypoint. > I've tried: > ~$ /usr/sbin/run_init /etc/init.d/nscd status > Authenticating oper. > Password: > Could not set exec context to system_u:system_r:initrc_t > which is because of: > avc: denied { setexec } for pid=18505 comm="run_init" > scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:staff_t > tclass=process Same thing, but instead needs seutil_run_runinit(). But this exposes that with run_init right now, the usage of init labeled init scripts falls on its face, because when you're in run_init_t, it can transition to initrc_t using any entrypoint. Run_init would need to be enhanced to do some extra checks to see if you're permitted to run the script. [cut] > It it "normal" that I would need to allow setexec for the user domain? No. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com