SELinux best practices

[Dominick Grift]

On 02/04/2010 11:22 AM, Leif Thuresson wrote:
> Is there a "recommended" way to setup access for privileged admin tasks with
> sudo?
> In Dominick Grift's blog article
> http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-seven-su-newrole.html
> the user assigned the webadm_r role gets a sudo access with match "ALL"
> so in this example you trust SELinux solely to protect the system from
> unauthorized access.
> Is this way you would normally do it on a production machine?
> If you make the sudoers rules more specific for the actual commands the
> admin user need to run
> you will gain some initial lock-down from sudo, but at the expense of the
> sudoers file
> requiring significantly more maintenance.
> Administrators generally like scripting to automate task, but by allowing a
> sub-admin to run a shell with uid=0
> we are again left with only SELinux to prevent unauthorized access.
> Is the general feeling that SELinux in say fedora12 is mature enough so that
> we can trust that it will protect
> the system from unauthorized access if we allow sub-administrators to run
> scripts as uid=0 ?
> I see that support for capabilities on files has finally found its way into
> fedora12. It that something that is
> being used to achieve some sort of middle ground between the two
> alternatives I listed above?

If you can achieve your goal with tighter sudo configuration, than by
all means use that.

With regard to your other questions. I will be interested what others
opinions on this is.

> /Leif
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100204/a2a3400e/attachment.bin