From: dwalsh@redhat.com (Daniel J Walsh)
Date: Fri, 10 Aug 2012 08:50:40 -0400
Subject: [refpolicy] How to give _admin rights?
In-Reply-To: <50240869.2070602@tresys.com>
References: <20120809183851.GA2643@siphos.be> <50240869.2070602@tresys.com>
Message-ID: <502503A0.5060905@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/09/2012 02:58 PM, Christopher J. PeBenito wrote:
> On 08/09/12 14:38, Sven Vermeulen wrote:
>> Hi guys,
>> 
>> Currently all administration I do is handled through the
>> sysadm_r:sysadm_t context. As a result, I never needed to explicitly
>> grant an admin interface (like nscd_admin) to a specific role.
>> 
>> I'm now trying to allow a role (be it user_r, staff_r or a newly created 
>> role) to (re)start the NSCD init script (which is labeled 
>> nscd_initrc_exec_t) so I thought it would be sufficient to just add in: 
>> nscd_admin(staff_t, staff_r)
>> 
>> However, a user (SELinux user staff_u) doesn't seem to be able to really
>> use it properly, unless I also give that user the root password (which I
>> don't) for the run_init command...
> 
> There's a couple things going on here, which center around a clash between
> run_init and labeled init scripts:
> 
>> I've tried: ~$ /etc/init.d/nscd status -bash: /etc/init.d/nscd:
>> /sbin/runscript: bad interpreter: Permission denied which is because of: 
>> security_compute_sid:  invalid context staff_u:system_r:initrc_t for 
>> scontext=staff_u:staff_r:staff_t
>> tcontext=system_u:object_r:nscd_initrc_exec_t tclass=process
> 
> Fails because there was no transition to run_init_t.  It needs something
> like seutil_init_script_run_runinit(), but only for using
> nscd_initrc_exec_t for the run_init_t entrypoint.
> 
>> I've tried: ~$ /usr/sbin/run_init /etc/init.d/nscd status Authenticating
>> oper. Password: Could not set exec context to system_u:system_r:initrc_t 
>> which is because of: avc:  denied  { setexec } for  pid=18505
>> comm="run_init" scontext=staff_u:staff_r:staff_t
>> tcontext=staff_u:staff_r:staff_t tclass=process
> 
> Same thing, but instead needs seutil_run_runinit().  But this exposes that
> with run_init right now, the usage of init labeled init scripts falls on
> its face, because when you're in run_init_t, it can transition to initrc_t
> using any entrypoint.  Run_init would need to be enhanced to do some extra
> checks to see if you're permitted to run the script.
> 
> [cut]
>> It it "normal" that I would need to allow setexec for the user domain
> 
> No.
> 
> 

One of the best things about systemd is we can finally get away from the
run_init bologni..
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAlA6AACgkQrlYvE4MpobNCOgCcDzJEbf8kcwqdN+TQ/6UhE6LI
nCcAnijIKhbE2jpA3eNcKoqSMSMALhCv
=7Rne
-----END PGP SIGNATURE-----