FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-08-2010, 12:52 AM
KaiGai Kohei
 
Default dbadm.pp is not available in selinux-policy package

It seems to me the latest selinux-policy package forgot to build
dbadm package, although its interface file is distributed.

[kaigai@saba ~]$ rpm -q selinux-policy
selinux-policy-3.7.15-4.fc13.noarch
[kaigai@saba ~]$ rpm -ql selinux-policy | grep dbadm
/usr/share/selinux/devel/include/roles/dbadm.if

However,

[kaigai@saba ~]$ rpm -ql selinux-policy-targeted | grep dbadm

Perhaps, modules-targeted.conf of the selinux-policy spec was not
updated when it upgraded to the upstream policy which containts
dbadm.*.

Could you fix it?

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 07:05 AM
Dominick Grift
 
Default dbadm.pp is not available in selinux-policy package

On Thu, Apr 08, 2010 at 09:52:32AM +0900, KaiGai Kohei wrote:
> It seems to me the latest selinux-policy package forgot to build
> dbadm package, although its interface file is distributed.
>
> [kaigai@saba ~]$ rpm -q selinux-policy
> selinux-policy-3.7.15-4.fc13.noarch
> [kaigai@saba ~]$ rpm -ql selinux-policy | grep dbadm
> /usr/share/selinux/devel/include/roles/dbadm.if
>
> However,
>
> [kaigai@saba ~]$ rpm -ql selinux-policy-targeted | grep dbadm
>
> Perhaps, modules-targeted.conf of the selinux-policy spec was not
> updated when it upgraded to the upstream policy which containts
> dbadm.*.
>
> Could you fix it?
>
> Thanks,

dbadm.if is what was previously considered a devel file (selinux-policy-devel)
However since a while now, the selinux-policy-devel package migrated to the selinux-policy package

the selinux-policy package is always installed ( it is an dependency for any selinux policy model package )

Conclusion: This is proper and as expected. development files are packaged into selinux-policy and not selinux-policy-%{model}

But it does not matter because: if you have selinux-policy-%{model} installed, then you also have selinux-policy installed (dependency)

This brings me to another issue:

[root@localhost sysconfig]# repoquery -ql mod_selinux
/etc/httpd/conf.d/mod_selinux.conf
/usr/lib64/httpd/modules/mod_selinux.so
/usr/share/doc/mod_selinux-2.2.2454
/usr/share/doc/mod_selinux-2.2.2454/LICENSE
/usr/share/doc/mod_selinux-2.2.2454/README
/usr/share/selinux/mls/mod_selinux.pp
/usr/share/selinux/targeted/mod_selinux.pp

[root@localhost sysconfig]# yum whatprovides *mod_selinux.if
No Matches found


People have been wanting to develop some modification/extension to you mod_selinux packages but they encountered a missing /usr/share/selinux/devel/include/.../mod_selinux.if
development file.

They had to resort to extracting the mod_selinux source rpm to retrieve mod_selinux.if and put that manually in /usr/share/selinux/devel/include/../

Please consider the following:

1. Either create a mod_selinux-devel package and include mod_selinux.if
2. or alternatively add it to the mod_selinux package

So that people can develop/modify/extend it.

Thank!


> --
> KaiGai Kohei <kaigai@ak.jp.nec.com>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 07:07 AM
Dominick Grift
 
Default dbadm.pp is not available in selinux-policy package

On Thu, Apr 08, 2010 at 09:52:32AM +0900, KaiGai Kohei wrote:
> It seems to me the latest selinux-policy package forgot to build
> dbadm package, although its interface file is distributed.
>
> [kaigai@saba ~]$ rpm -q selinux-policy
> selinux-policy-3.7.15-4.fc13.noarch
> [kaigai@saba ~]$ rpm -ql selinux-policy | grep dbadm
> /usr/share/selinux/devel/include/roles/dbadm.if
>
> However,
>
> [kaigai@saba ~]$ rpm -ql selinux-policy-targeted | grep dbadm
>
> Perhaps, modules-targeted.conf of the selinux-policy spec was not
> updated when it upgraded to the upstream policy which containts
> dbadm.*.
>
> Could you fix it?

Whoops ignore a large part of my previous message. I read wrong.

Sorry.

>
> Thanks,
> --
> KaiGai Kohei <kaigai@ak.jp.nec.com>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 08:27 AM
Dominick Grift
 
Default dbadm.pp is not available in selinux-policy package

On Thu, Apr 08, 2010 at 09:52:32AM +0900, KaiGai Kohei wrote:
> It seems to me the latest selinux-policy package forgot to build
> dbadm package, although its interface file is distributed.
>
> [kaigai@saba ~]$ rpm -q selinux-policy
> selinux-policy-3.7.15-4.fc13.noarch
> [kaigai@saba ~]$ rpm -ql selinux-policy | grep dbadm
> /usr/share/selinux/devel/include/roles/dbadm.if
>
> However,
>
> [kaigai@saba ~]$ rpm -ql selinux-policy-targeted | grep dbadm
>
> Perhaps, modules-targeted.conf of the selinux-policy spec was not
> updated when it upgraded to the upstream policy which containts
> dbadm.*.
>
> Could you fix it?

I think it is not added because it is not the prefered way of configuring a dbadm.
The prefered way is to implement it like the way that webadm is implemented:

dbadm.te:

policy_module(dbadm, 2.0.0)
role dbadm_r;
userdom_base_user_template(dbadm)
allow dbadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };

files_dontaudit_search_all_dirs(dbadm_t)
files_manage_generic_locks(dbadm_t)
files_list_var(dbadm_t)

selinux_get_enforce_mode(dbadm_t)
seutil_domtrans_setfiles(dbadm_t)

logging_send_syslog_msg(dbadm_t)

userdom_dontaudit_search_user_home_dirs(dbadm_t)
optional_policy(`
mysql_admin(dbadm_t, dbadm_r)
')

optional_policy(`
postgresql_admin(dbadm_t, dbadm_r)
')

dbadm.if:

## <summary>DB administrator role</summary>

########################################
## <summary>
## Change to the DB administrator role.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dbadm_role_change',`
gen_require(`
role dbadm_r;
')

allow $1 dbadm_r;
')

########################################
## <summary>
## Change from the DB administrator role.
## </summary>
## <desc>
## <p>
## Change from the DB administrator role to
## the specified role.
## </p>
## <p>
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dbadm_role_change_to',`
gen_require(`
role dbadm_r;
')

allow dbadm_r $1;
')

Patch to staff.te:

policy_module(mystaff, 1.0.0)
gen_require(`
type staff_t;
role staff_r;
')

optional_policy(`
dbadm_role_change(staff_r)
')

make -f /usr/share/selinux/devel/Makefile mystaff dbadm
sudo semodule -i mystaff dbadm
semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r system_r webadm_r dbadm_r unconfined_r" -P user staff_u
useradd -Z staff_u testuser
passwd testuser
echo "testuser ALL=(ALL) ALL" >> /etc/sudoers
(.. login as testuser ..)
sudo -r dbadm_r -t dbadm_t service mysqld restart
(to enter dbadm root shell
sudo -r dbadm_r -t dbadm_t -s
(to enter webadm root shell
sudo -r webadm_r -t webadm_t -s
(to enter unconfined root shell
sudo -r unconfined_r -t unconfined_t -s)

>
> Thanks,
> --
> KaiGai Kohei <kaigai@ak.jp.nec.com>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 11:57 AM
Daniel J Walsh
 
Default dbadm.pp is not available in selinux-policy package

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/07/2010 08:52 PM, KaiGai Kohei wrote:
> It seems to me the latest selinux-policy package forgot to build
> dbadm package, although its interface file is distributed.
>
> [kaigai@saba ~]$ rpm -q selinux-policy
> selinux-policy-3.7.15-4.fc13.noarch
> [kaigai@saba ~]$ rpm -ql selinux-policy | grep dbadm
> /usr/share/selinux/devel/include/roles/dbadm.if
>
> However,
>
> [kaigai@saba ~]$ rpm -ql selinux-policy-targeted | grep dbadm
>
> Perhaps, modules-targeted.conf of the selinux-policy spec was not
> updated when it upgraded to the upstream policy which containts
> dbadm.*.
>
> Could you fix it?
>
> Thanks,
We ship all the interface files from reference policy, however we do not
ship all of the policy. That way you can build policy and optionally
install modules.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAku9xJ0ACgkQrlYvE4MpobNXiQCgxsifsKphJ6 ZdtbuwwK7EPK/2
1KUAn3KAl5scW+zA8Trcu3Yx0fZ0XgG+
=D0zi
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 12:15 PM
Daniel J Walsh
 
Default dbadm.pp is not available in selinux-policy package

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As Dominick stated. I prefer to think in terms of two different roles.
Login Roles, and Roles to execute in when you have privileges (IE Root).

Login Roles/Types
staff_t, user_t, unconfined_t, xguest_t, guest_t

Three interfaces can be used to create confined login users.

userdom_restricted_user_template(guest)
userdom_restricted_xwindows_user_template(xguest)
userdom_unpriv_user_template(staff)


Admin Roles/Types
logadm_t, webadm_t, secadm_t, auditadm_t

The following interface can be used to create an Admin ROle
userdom_base_user_template(logadm)


sysadm_t is sort of a hybrid, most people use it as an Admin Role.


I imagine that you login as a confined user and then use sudo/newrole to
switch roles to one of the admin roles.

Of course you are free to design your own system creating fully login
admin roles. Or creating addinitional non admin user roles.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZP jtHNqI5Jf3UHRs
Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd
=q1nL
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:36 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org