WG: Adoption to Ref-Policy sysadm_t
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 31 18:18:53 UTC 2014
Yes that separation is more used in MLS Mdde.
Is SELinux config files in MLS Mode.
But if you are trying to stop an evil admin, I believe you will not be
able to get it done. Removing sysadm privs is kind of difficult and
backwards. You really want to define what an admin can do, rather then
can't.
On 03/31/2014 11:04 AM, Philipp wrote:
>
>
>
> Already tried that, but then the user isn’t able to open e.g the
> /var/log/audit/audit.log. This is also mentioned in the
> sysadm_secadm.te file.
>
>
>
> logging_manage_audit_log(sysadm_t)
>
> logging_manage_audit_config(sysadm_t)
>
> logging_run_auditctl(sysadm_t, sysadm_r)
>
> logging_stream_connect_syslog(sysadm_t)
>
>
>
>
>
> The user is still able to read/write SELinux config files…
>
>
>
> *Von:*Daniel J Walsh [mailto:dwalsh at redhat.com]
> *Gesendet:* Montag, 31. März 2014 16:59
> *An:* Philipp; selinux at lists.fedoraproject.org
> <mailto:selinux at lists.fedoraproject.org>
> *Betreff:* Re: Adoption to Ref-Policy sysadm_t
>
>
>
> Does disabling sysadm_secadm package give you the separation you need.
>
> semodule -d sysadm_secadm
>
> On 03/31/2014 09:22 AM, Philipp wrote:
>
> Hi all,
>
>
>
> I am trying to adopt the reference policy in a way that the
> sysadm_t domain isn’t able to open SELinux configuration files or
> run any related binaries like semange. My approach was to edit the
> sysadm.te file and uncomment the related lines in there. Thus far,
> I haven’t found the right entries:
>
>
>
> I looked up with sesearch for the following lines:
>
>
>
> sesearch --all -s sysadm_t -t selinux_config_t |
>
>
>
> Output:
>
>
>
> allow sysadm_t non_security_file_type : file { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink
> link rename open } ;
>
> allow sysadm_t non_security_file_type : dir { ioctl read write
> create getattr setattr lock relabelfrom relabelto unlink link
> rename add_name remove_name reparent search rmdir open } ;
>
> allow sysadm_t non_security_file_type : lnk_file { ioctl read
> write create getattr setattr lock relabelfrom relabelto append
> unlink link rename } ;
>
> allow sysadm_t non_security_file_type : chr_file { getattr
> relabelfrom relabelto } ;
>
> allow sysadm_t non_security_file_type : blk_file { getattr
> relabelfrom relabelto } ;
>
> allow sysadm_t non_security_file_type : sock_file { getattr
> relabelfrom relabelto } ;
>
> allow sysadm_t non_security_file_type : fifo_file { getattr
> relabelfrom relabelto } ;
>
> allow sysadm_t file_type : filesystem getattr ;
>
> allow sysadm_usertype file_type : filesystem getattr ;
>
> allow sysadm_t selinux_config_t : dir { getattr search open } ;
>
> allow sysadm_usertype selinux_config_t : file { ioctl read
> getattr lock open } ;
>
> allow sysadm_usertype selinux_config_t : dir { ioctl read
> getattr lock search open } ;
>
> allow sysadm_usertype selinux_config_t : lnk_file { read
> getattr } ;
>
>
>
>
>
> I thought that there must be some entries corresponding the last
> few lines, but as already mentioned I haven’t found any in the
> rpmbuild/SOURCES/serefpolicy-3.7.19/policy/modules/roles/sysadm*
> files.
>
>
>
> What I am doing wrong or where do I have to change something?
>
>
>
> Thank you in advance!
>
>
>
> --
>
> selinux mailing list
>
> selinux at lists.fedoraproject.org <mailto:selinux at lists.fedoraproject.org>
>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140331/d0e85c1f/attachment-0001.html>
More information about the selinux
mailing list