[PATCH 1/5] adding seadmin support
Dominick Grift
dominick.grift at gmail.com
Mon Nov 11 13:06:53 UTC 2013
On Fri, 2013-11-08 at 14:35 -0200, Leonidas Da Silva Barbosa wrote:
> On Fri, Nov 08, 2013 at 02:07:14PM +0100, Dominick Grift wrote:
> > On Fri, 2013-11-08 at 09:28 -0200, Leonidas Da Silva Barbosa wrote:
> >
> > >
> > > > The idea is nice, but a admin could script this up in a heartbeat
> > > >
> > > I agree, but the idea is make this more visible. Today we know we have
> > > admin role, but to reach that some steps are need. Put into in a tool give
> > > some highlight to the use of admin roles and user admins IMHO.
> >
> > There are probably more effective way's to make it visible
> >
>
> I can agree, but it's also about have a tool/supporting it. Anyway, I'm
> trying to understand if it is a good idea to keep with this efforts to
> support it or no. I still believe it a good aproach to support admin roles
> creation, also to implements an 'isolation admins' environment, but I'm
> totally open for thoughts and ideas about why don't put it or better
> approaches to put it.
>
I wrote a simple bash script that creates SELinux confined admins.
I didnt bother to add any sanity checking or call commands with paths or
anything like that.
Was just playing:
> #!/bin/bash --
>
> shopt -s -o nounset
>
> declare -rx SCRIPT=${0##*/}
>
> declare USER_PREFIX=""
> declare ROLE_PREFIX=""
> declare INTERFACE_PREFIX=""
>
> declare SU=""
> declare SUDO=""
> declare GUI=""
>
> interface_prefixes() {
> grep -r "_admin',\`" /usr/share/selinux/devel/include/ | \
> awk -F "/" '{ print $8 }' | \
> awk -F "\`" '{ print $2 }' | \
> awk -F "_" '{ print $1 }' | sort
> }
>
> # Expects a single parameter: user_prefix
>
> user() {
> cat > $1.te << EOF
> policy_module($1, 1.0.0)
> userdom_restricted_user_template($1)
> EOF
> }
>
> # Expects a single parameter: user_prefix
>
> gui_user() {
> cat > $1.te << EOF
> policy_module($1, 1.0.0)
> userdom_unpriv_user_template($1)
> EOF
> }
>
> # Expects a single parameter: user_prefix
>
> sudo() {
> cat >> $1.te <<EOF
> sudo_role_template($1, ${1}_r, ${1}_t)
> EOF
> }
>
> # Expects single parameter: user_prefix
>
> su() {
> cat >> $1.te <<EOF
> su_role_template($1, ${1}_t, ${1}_r)
> seutils_run_newrole(${1}_t, ${1}_r)
> EOF
> }
>
> # Expects two parameters: user_prefix, role_prefix
>
> role() {
> cat >> $1.te << EOF
> userdom_base_user_template($2)
> allow ${1}_r ${2}_r;
> EOF
> }
>
> # Expects two parameters: user_prefix, role_prefix
>
> interface() {
> cat >> $1.te << EOF
> optional_policy(\`
> ${interface}_admin(${2}_t, ${2}_r)
> ')
> EOF
> }
>
> if [ $# -eq 0 ] ; then
> printf "%s\n" "Type --help for help."
> exit 192
> fi
>
> while [ $# -gt 0 ] ; do
> case "$1" in
> -h | --help)
> printf "%s\n" "$SCRIPT - Generate SELinux confined administrators"
> printf "%s\n" ""
> printf "%s\n" "-h | --help Display this help message"
> printf "%s\n" "-l | --list List service interface prefixes"
> printf "%s\n" "-r | --role [role_prefix] Role prefix"
> printf "%s\n" "-u | --user [user_prefix] User prefix"
> printf "%s\n" "-i | --interface [interface_prefix,(...)] Service interface prefix"
> printf "%s\n" ""
> printf "%s\n" "--su Enable SU for user"
> printf "%s\n" "--sudo Enable SUDO for user"
> printf "%s\n" "--gui User GUI support"
> exit 0
> ;;
> -l | --list )
> interface_prefixes
> exit 0
> ;;
> -r | --role ) shift
> if [ $# -eq 0 ] ; then
> printf "$SCRIPT:$LINENO: %s\n" "Role prefix is missing" >&2
> exit 192
> fi
> ROLE_PREFIX="$1"
> ;;
> -u | --user ) shift
> if [ $# -eq 0 ] ; then
> printf "$SCRIPT:$LINENO: %s\n" "User prefix is missing" >&2
> exit 192
> fi
> USER_PREFIX="$1"
> ;;
> -i | --interface ) shift
> if [ $# -eq 0 ] ; then
> printf "$SCRIPT:$LINENO: %s\n" "Interface prefix is missing" >&2
> exit 192
> fi
> INTERFACE_PREFIX="$1"
> ;;
> --su )
> SU=SU
> ;;
> --sudo )
> SUDO=SUDO
> ;;
> --gui )
> GUI=GUI
> ;;
> -* ) printf "$SCRIPT:$LINENO: %s\n" "switch $1 not supported" >&2
> exit 192
> ;;
> * ) printf "$SCRIPT:$LINENO: %s\n" "extra argument or missing switch" >&2
> exit 192
> ;;
> esac
> shift
> done
>
> if [ -z "$ROLE_PREFIX" ] ; then
> printf "%s\n" "Role prefix missing" >&2
> exit 192
> fi
>
> if [ -z "$USER_PREFIX" ] ; then
> printf "%s\n" "User prefix missing" >&2
> exit 192
> fi
>
> if [ -z "$INTERFACE_PREFIX" ] ; then
> printf "%s\n" "Interface prefix missing" >&2
> exit 192
> fi
>
> if [ ! -z "$USER_PREFIX" -a "$GUI" == "GUI" ] ; then
> gui_user $USER_PREFIX
> elif [ ! -z "$USER_PREFIX" -a "$GUI" == "" ] ; then
> user $USER_PREFIX
> else
> echo "Unhandled exception"
> exit 192;
> fi
>
> if [ "$SUDO" == "SUDO" ] ; then
> sudo $USER_PREFIX
> fi
>
> if [ "$SU" == "SU" ] ; then
> su $USER_PREFIX
> fi
>
> if [ ! -z "$ROLE_PREFIX" ] ; then
> role $USER_PREFIX $ROLE_PREFIX
> fi
>
> if [ ! -z "$INTERFACE_PREFIX" ] ; then
>
> INTERFACE_PREFIX=$(echo $INTERFACE_PREFIX | sed s/,/" "/g)
>
> for interface in $INTERFACE_PREFIX; do
> interface_prefixes | grep $interface >/dev/null
>
> if [ "$?" != 0 ] ; then
> printf "%s\n" "Interface prefix unavailable" ;
> rm -f $USER_PREFIX.te
> exit 192
> fi
> done
> fi
>
> for interface in $INTERFACE_PREFIX; do
> interface $USER_PREFIX $ROLE_PREFIX
> done
>
> cat >> ${USER_PREFIX}.te <<EOF
> gen_user(${USER_PREFIX}_u, user, ${USER_PREFIX}_r ${ROLE_PREFIX}_r, s0, s0 - mls_systemhigh, mcs_allcats)
> EOF
>
> if [ ! -z "$USER_PREFIX" -a "$GUI" == "GUI" ] ; then
> cat > ${USER_PREFIX}_u <<EOF
> ${USER_PREFIX}_r:${USER_PREFIX}_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> system_r:local_login_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> system_r:sshd_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> system_r:xdm_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> EOF
> elif [ ! -z "$USER_PREFIX" -a "$GUI" == "" ] ; then
> cat > ${USER_PREFIX}_u <<EOF
> ${USER_PREFIX}_r:${USER_PREFIX}_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> system_r:local_login_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> system_r:sshd_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> EOF
> else
> echo "Unhandled exception"
> exit 192;
> fi
>
> if [ "$SUDO" == "SUDO" ] ; then
> cat >> ${USER_PREFIX}_u <<EOF
> ${USER_PREFIX}_r:${USER_PREFIX}_sudo_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> EOF
> fi
>
> if [ "$SU" == "SU" ] ; then
> cat >> ${USER_PREFIX}_u <<EOF
> ${USER_PREFIX}_r:${USER_PREFIX}_su_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> EOF
> fi
>
> cat > ${USER_PREFIX}_setup.sh <<EOF
> #!/bin/bash --
>
> if [ \$(whoami) ! = "root" ] ; then
> printf "%s\n" "This needs root"
> exit 192
> fi
>
> printf "%s\n" "Compiling '${USER_PREFIX}.pp' from '${USER_PREFIX}.te'"
> make -f /usr/share/selinux/devel/Makefile ${USER_PREFIX}.pp
>
> printf "%s\n" "Installing '${USER_PREFIX}.pp'"
> semodule -i ${USER_PREFIX}.pp
>
> printf "%s\n" "Copying '${USER_PREFIX}_u' to '/etc/selinux/targeted/contexts/users/'"
> cp ${USER_PREFIX}_u /etc/selinux/targeted/contexts/users/
>
> printf "%s\n" "Adding a new user called '$USER_PREFIX'"
> useradd $USER_PREFIX
>
> printf "%s\n" "Associating '$USER_PREFIX' with '${USER_PREFIX}_u'"
> semanage login -a -s ${USER_PREFIX}_u -r s0 $USER_PREFIX
>
> EOF
>
> if [ "$SUDO" == "SUDO" ] ; then
> cat >> ${USER_PREFIX}_setup.sh <<EOF
> printf "%s\n" "Setting up sudo for '$USER_PREFIX'"
> echo "$USER_PREFIX \$HOSTNAME=(root) ALL" > /etc/sudoers.d/$USER_PREFIX
> chmod 0440 /etc/sudoers.d/$USER_PREFIX
>
> #EOF
> EOF
> fi
>
> chmod +x ${USER_PREFIX}_setup.sh
>
> cat > ${USER_PREFIX}_remove.sh <<EOF
> #!/bin/bash --
>
> if [ \$(whoami) ! = "root" ] ; then
> printf "%s\n" "This needs root"
> exit 192
> fi
>
> printf "%s\n" "Removing Association of '$USER_PREFIX' with '${USER_PREFIX}_u'"
> semanage login -d -s ${USER_PREFIX}_u -r s0 $USER_PREFIX
>
> printf "%s\n" "Removing a new user called '$USER_PREFIX'"
> userdel -r $USER_PREFIX
>
> printf "%s\n" "Uninstalling the '$USER_PREFIX' module"
> semodule -r $USER_PREFIX
>
> printf "%s\n" "Removing '/etc/selinux/targeted/contexts/users/${USER_PREFIX}_u'"
> rm -f /etc/selinux/targeted/contexts/users/${USER_PREFIX}_u
>
> EOF
>
> if [ "$SUDO" == "SUDO" ] ; then
> cat >> ${USER_PREFIX}_remove.sh <<EOF
> printf "%s\n" "Removing '/etc/sudoers.d/$USER_PREFIX'"
> rm -f /etc/sudoers.d/$USER_PREFIX
>
> #EOF
> EOF
> fi
>
> chmod +x ${USER_PREFIX}_remove.sh
>
> #EOF
More information about the selinux
mailing list