FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-09-2012, 02:17 PM
Tim Sheppard
 
Default Creating multiple constrained admin roles

Hi,

I was wondering if it is possible to create a number of admin roles,
each with limited access to specified admin features, e.g. package
management only, NIC / Firewall management only, policy management only
etc and to effectively completely remove the root account as a system
wide administrator using selinux?


I have seen mention of Kiosk Users and the SELinux play machine (sadly
my corporate network does not allow global ssh access) so I believe this
is entirely possible, but am not entirely sure of the best resources to
delve into so any pointers would be very welcome.


Many Thanks,

Tim

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-09-2012, 02:36 PM
Daniel J Walsh
 
Default Creating multiple constrained admin roles

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/09/2012 10:17 AM, Tim Sheppard wrote:
> Hi,
>
> I was wondering if it is possible to create a number of admin roles, each
> with limited access to specified admin features, e.g. package management
> only, NIC / Firewall management only, policy management only etc and to
> effectively completely remove the root account as a system wide
> administrator using selinux?
>
> I have seen mention of Kiosk Users and the SELinux play machine (sadly my
> corporate network does not allow global ssh access) so I believe this is
> entirely possible, but am not entirely sure of the best resources to delve
> into so any pointers would be very welcome.
>
> Many Thanks,
>
> Tim
>
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. If you are
> not the intended recipient of this email, you must neither take any action
> based upon its contents, nor copy or show it to anyone. Please contact the
> sender if you believe you have received this email in error. QinetiQ may
> monitor email traffic data and also the content of email for the purposes
> of security. QinetiQ Limited (Registered in England & Wales: Company
> Number: 3796233) Registered office: Cody Technology Park, Ively Road,
> Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. -- selinux mailing
> list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

Yes this is theoretically possible. The problem is certain domains when run
in as an Evil Admin would be able to break out. For example if you only allow
the packagemaintainer to run rpm, then he will need to transition to rpm_t
which is basically unconfined. He could then write a simple rpm to disable
SELinux and install it. Game over.

Google

"confined admin site:danwalsh.livejournal.com"

You will find lots of blog posts on how to do this.

We ship a webadm_r and logadm_r now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+qgOAACgkQrlYvE4MpobOIjQCggx23Svk/knouooCDXvk6KKOE
Q6MAn3+nMKyCpPCyotERi7UJn3tVTnre
=KUi0
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:14 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org