FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-05-2012, 05:31 PM
Daniel J Walsh
 
Default SELinux newbie help please

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/05/2012 10:42 AM, Alain Williams wrote:
> I am building a new machine and am trying very hard to not do as I
> have done before and switch selinux off. I am having problems
> getting things to work.
>
> I want one user to, on login, run a script setuid root -- it needs
> to be able to read all files in one part of the file system to back
> that part up to an externally mounted USB drive.
>
> I have a small setuid root program (written in C) that just runs
> the shell script.
>
> 1) Making that setuid prgram user's login shell does not work. I
> could not see what to do.
>
> so I tried an intermediate step.
>
Why not use sudo? All of the code should work if he executed sudo.

> 2) Giving the user a standard bash login shell, then running the
> setuid root program at the command line does not do what I want. I
> put 'id' at the start of the script and got:
>
> uid=501(backup) gid=502(backup) groups=502(backup)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> I was expecting to see a 'uid=0'. The script then fails since it
> cannot do things that I want it to.
>
I do not think this would work with SELinux disabled either. A setuid
app has all capabilities it will not automatically change to UID=0.

> I am running CentOS 6.
>
> I have done a lot of reading, but end up going round in circles and
> much of what I read seems to be out of date or refer to commands
> that I do not have.
>
> I understand that I ought to perhaps produce a specific security
> profile for the 'backup' user - but can't see how to start.
>
> Any pointers would be gratefully received.
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8F7J4ACgkQrlYvE4MpobPLVACg2eUopZszFj VAJtJF+mjRLusN
nuQAnjkZ5MBPbKRPYypGmEJLMM8jr7au
=yyoL
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-06-2012, 01:47 PM
Edward Ned Harvey
 
Default SELinux newbie help please

> From: selinux-bounces@lists.fedoraproject.org [mailto:selinux-
> bounces@lists.fedoraproject.org] On Behalf Of Alain Williams
>
> I want one user to, on login, run a script setuid root -- it needs to be able to
> read all files in one part of the file system to back that part up to an externally
> mounted USB drive.
>
> I have a small setuid root program (written in C) that just runs the shell script.

This doesn't sound like a selinux thing. It sounds like you should probably just use sudo. You should be able to add the "sudo /path/to/some/script" into your .bash_login or something like that.

Sudo is a setuid root program (written in C) that allows you to run other things as other users. It's highly stable and secure, probably much more reliable and secure than the average homegrown C setuid root program. ;-)

You can configure sudo using the "visudo" command as root. You can configure the behavior you want by adding a line like this:
awilliam ALL=(ALL) NOPASSWD: /path/to/some/script

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-09-2012, 11:24 AM
Alain Williams
 
Default SELinux newbie help please

On Fri, Jan 06, 2012 at 09:47:09AM -0500, Edward Ned Harvey wrote:
> > From: selinux-bounces@lists.fedoraproject.org [mailto:selinux-
> > bounces@lists.fedoraproject.org] On Behalf Of Alain Williams
> >
> > I want one user to, on login, run a script setuid root -- it needs to be able to
> > read all files in one part of the file system to back that part up to an externally
> > mounted USB drive.
> >
> > I have a small setuid root program (written in C) that just runs the shell script.
>
> This doesn't sound like a selinux thing. It sounds like you should probably just use sudo. You should be able to add the "sudo /path/to/some/script" into your .bash_login or something like that.
>
> Sudo is a setuid root program (written in C) that allows you to run other things as other users. It's highly stable and secure, probably much more reliable and secure than the average homegrown C setuid root program. ;-)
>
> You can configure sudo using the "visudo" command as root. You can configure the behavior you want by adding a line like this:
> awilliam ALL=(ALL) NOPASSWD: /path/to/some/script

This is what my workaround is. However: I would like to work out how to do it directly
by writing selinux rules/... - the purpose is as much to teach me how to do things
with selinux as to achive the end result.

So: back to my original question ....

--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-09-2012, 02:48 PM
Daniel J Walsh
 
Default SELinux newbie help please

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/09/2012 07:24 AM, Alain Williams wrote:
> On Fri, Jan 06, 2012 at 09:47:09AM -0500, Edward Ned Harvey wrote:
>>> From: selinux-bounces@lists.fedoraproject.org [mailto:selinux-
>>> bounces@lists.fedoraproject.org] On Behalf Of Alain Williams
>>>
>>> I want one user to, on login, run a script setuid root -- it
>>> needs to be able to read all files in one part of the file
>>> system to back that part up to an externally mounted USB
>>> drive.
>>>
>>> I have a small setuid root program (written in C) that just
>>> runs the shell script.
>>
>> This doesn't sound like a selinux thing. It sounds like you
>> should probably just use sudo. You should be able to add the
>> "sudo /path/to/some/script" into your .bash_login or something
>> like that.
>>
>> Sudo is a setuid root program (written in C) that allows you to
>> run other things as other users. It's highly stable and secure,
>> probably much more reliable and secure than the average homegrown
>> C setuid root program. ;-)
>>
>> You can configure sudo using the "visudo" command as root. You
>> can configure the behavior you want by adding a line like this:
>> awilliam ALL=(ALL) NOPASSWD: /path/to/some/script
>
> This is what my workaround is. However: I would like to work out
> how to do it directly by writing selinux rules/... - the purpose is
> as much to teach me how to do things with selinux as to achive the
> end result.
>
> So: back to my original question ....
>

I would say that there is nothing about SELinux that should block your
access. Since you are logging in as unconfined_t, you should be able
to execute setuid apps. I would make sure your stuff is working with
SELinux in permissive mode, before determining whether SELinux is
blocking access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8LDDsACgkQrlYvE4MpobOsfQCeJV2azFqUym M3hrI/F2++PxVm
F+cAoLxjL+6omraMEROe1RlG0QVKFBFd
=f9gK
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-17-2012, 03:12 AM
Edward Ned Harvey
 
Default SELinux newbie help please

> From: selinux-bounces@lists.fedoraproject.org [mailto:selinux-
> bounces@lists.fedoraproject.org] On Behalf Of Alain Williams
>
> This is what my workaround is. However: I would like to work out how to do
> it directly
> by writing selinux rules/... - the purpose is as much to teach me how to do
> things
> with selinux as to achive the end result.
>
> So: back to my original question ....

I'm not completely sure I understand your question -
selinux is an additional layer of security, above and beyond the usual posix permission bits and so forth that you normally have.

AFAIK, all selinux can do is to block some things from happening which would have otherwise been permitted by your non-selinux environment.

That being said ... What is it that you wish to block?
With the answer to this question, you can start figuring out what policy you wish to employ.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 12:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org