selinux policy UBAC question

Roberto Sassu roberto.sassu at polito.it
Mon Oct 25 15:06:05 UTC 2010 

On Monday, October 25, 2010 04:27:22 pm Dominick Grift wrote:
> On Mon, Oct 25, 2010 at 02:45:54PM +0200, Roberto Sassu wrote:
> > Hi all
> > 
> > i'm using the selinux policy shipped with Fedora 13 and UBAC turned on.
> > I removed the unconfined package and i noted the unconfined_t domain with
> > unconfined_u user is unable to access a file with another selinux user.
> > I tried to build a custom module which contains the line:
> > 
> > ubac_process_exempt(unconfined_t)
> 
> like it says this only exempts the callers access to processes
> 
> in the sysadm module this is added:
> 
> ubac_process_exempt(sysadm_t)
> ubac_file_exempt(sysadm_t)
> ubac_fd_exempt(sysadm_t)
> 
> That should pretty much exempt the caller.
> Note though that ubac has issues, i am not sure how much issues in fedora but in normal refpolicy the *_admins do not work because you want to start services as system_u else unpriv users wont be ableto access resources. There is no way to change to system_u unless i guess you use runcon.

I'm using the UBAC feature in order to identify the combination of user/program that is allowed to acces a specific label. UBAC permits to implement this access control model by
using the policy for the user_t domain and assigning a selinux user to each user in the platform.
My target is to have an usable system and it seems that the ubac is not yet ready to be used in desktop platforms.
Another solution is to create different user domains by using the proper template. There are other alternatives in order to implement this access control model?
Thanks.

> 
> That brings us to the second issue that is that you probably want to build policy with sysadm_direct_initrc option enabled. That way to can for example run rpm /yum in the rpm_t domain with system_u. Else it will install files with sysadm_u id and then ubac users cannot access it.
> 
> Those two issues were enough reason for me to turn it of. (especially not being able to use the *_admins.
> 
> 
> > 
> > but this does not solve the issue. How do i configure the policy to allow some
> > domains to circumvent the UBAC enforcement?
> > Thanks in advance for replies.
> > 
> > Roberto Sassu
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>

More information about the selinux mailing list