Creating multiple constrained admin roles
-----BEGIN PGP SIGNED MESSAGE-----
On 05/09/2012 10:17 AM, Tim Sheppard wrote:
> I was wondering if it is possible to create a number of admin roles, each
> with limited access to specified admin features, e.g. package management
> only, NIC / Firewall management only, policy management only etc and to
> effectively completely remove the root account as a system wide
> administrator using selinux?
> I have seen mention of Kiosk Users and the SELinux play machine (sadly my
> corporate network does not allow global ssh access) so I believe this is
> entirely possible, but am not entirely sure of the best resources to delve
> into so any pointers would be very welcome.
> Many Thanks,
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. If you are
> not the intended recipient of this email, you must neither take any action
> based upon its contents, nor copy or show it to anyone. Please contact the
> sender if you believe you have received this email in error. QinetiQ may
> monitor email traffic data and also the content of email for the purposes
> of security. QinetiQ Limited (Registered in England & Wales: Company
> Number: 3796233) Registered office: Cody Technology Park, Ively Road,
> Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. -- selinux mailing
> list email@example.com
Yes this is theoretically possible. The problem is certain domains when run
in as an Evil Admin would be able to break out. For example if you only allow
the packagemaintainer to run rpm, then he will need to transition to rpm_t
which is basically unconfined. He could then write a simple rpm to disable
SELinux and install it. Game over.
"confined admin site:danwalsh.livejournal.com"
You will find lots of blog posts on how to do this.
We ship a webadm_r and logadm_r now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
selinux mailing list