FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-09-2010, 05:29 AM
KaiGai Kohei
 
Default revise roles/dbadm.te ( dbadm.pp is not available in selinux-policy package)

(2010/04/08 21:15), Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> As Dominick stated. I prefer to think in terms of two different roles.
> Login Roles, and Roles to execute in when you have privileges (IE Root).
>
> Login Roles/Types
> staff_t, user_t, unconfined_t, xguest_t, guest_t
>
> Three interfaces can be used to create confined login users.
>
> userdom_restricted_user_template(guest)
> userdom_restricted_xwindows_user_template(xguest)
> userdom_unpriv_user_template(staff)
>
>
> Admin Roles/Types
> logadm_t, webadm_t, secadm_t, auditadm_t
>
> The following interface can be used to create an Admin ROle
> userdom_base_user_template(logadm)
>
>
> sysadm_t is sort of a hybrid, most people use it as an Admin Role.
>
>
> I imagine that you login as a confined user and then use sudo/newrole to
> switch roles to one of the admin roles.

The attached patch revises roles/dbadm.te (to be applied on the upstream
reference policy). It uses userdom_base_user_template() instead of the
userdom_unpriv_user_template(), and should be launched via sudo/newrole.
In the default, it intends the dbadm_r role to be launched by staff_r role.

What I did)
[root@saba ~]# semodule -i ~kaigai/repo/refpolicy/policy/modules/roles/dbadm.pp
[root@saba ~]# semanage user -m -P user -r s0-s0:c0.c1023 -R "dbadm_r staff_r system_r" ymj_u
[root@saba ~]# semanage login -a -s ymj_u ymj

[root@saba ~]# echo "ymj ALL=(ALL) TYPE=dbadm_t ROLE=dbadm_r NOPASSWD:/sbin/service" >> /etc/sudoers

[root@saba ~]# cp /etc/selinux/targeted/contexts/users/staff_u
/etc/selinux/targeted/contexts/users/ymj_u

[root@saba ~]# semanage user -l

Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles

guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
webadm_u user s0 s0 webadm_r
xguest_u user s0 s0 xguest_r
ymj_u user s0 s0-s0:c0.c1023 dbadm_r staff_r system_r
[root@saba ~]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
ymj ymj_u s0

[root@saba ~]# ssh ymj@localhost
ymj@localhost's password:
Last login: Fri Apr 9 13:59:32 2010 from localhost
[ymj@saba ~]$ id -Z
ymj_u:staff_r:staff_t:s0

[ymj@saba ~]$ sudo service sepostgresql restart
Stopping sepostgresql service: [ OK ]
Starting sepostgresql service: [ OK ]

[ymj@saba ~]$ ps -AZ | grep sepostgres
ymj_u:system_rostgresql_t:s0 1171 ? 00:00:01 sepostgres
ymj_u:system_rostgresql_t:s0 1176 ? 00:00:00 sepostgres
ymj_u:system_rostgresql_t:s0 1177 ? 00:00:00 sepostgres
ymj_u:system_rostgresql_t:s0 1178 ? 00:00:00 sepostgres
ymj_u:system_rostgresql_t:s0 1179 ? 00:00:00 sepostgres
ymj_u:system_rostgresql_t:s0 1180 ? 00:00:00 sepostgres

[ymj@saba ~]$ newrole -r dbadm_r -t dbadm_t
Password:
[ymj@saba ~]$ psql postgres
psql (8.4.3, server 9.0alpha5)
WARNING: psql version 8.4, server version 9.0.
Some psql features might not work.
Type "help" for help.

postgres=> SELECT sepgsql_getcon();
sepgsql_getcon
--------------------------
ymj_u:dbadm_r:dbadm_t:s0
(1 row)

postgres=> CREATE TABLE my_table (a int, b text);
CREATE TABLE
postgres=> SELECT * FROM my_table;
ERROR: SELinux: security policy violation

> Of course you are free to design your own system creating fully login
> admin roles. Or creating addinitional non admin user roles.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZP jtHNqI5Jf3UHRs
> Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd
> =q1nL
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>


--
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:37 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org