<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yes that separation is more used in MLS Mdde. <br>
<br>
Is SELinux config files in MLS Mode.<br>
<br>
But if you are trying to stop an evil admin, I believe you will not
be able to get it done. Removing sysadm privs is kind of difficult
and backwards. You really want to define what an admin can do,
rather then can't.<br>
<br>
<div class="moz-cite-prefix">On 03/31/2014 11:04 AM, Philipp wrote:<br>
</div>
<blockquote cite="mid:03db01cf4cf2$74341280$5c9c3780$@phru.at"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.E-MailFormatvorlage19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.E-MailFormatvorlage20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.E-MailFormatvorlage21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.E-MailFormatvorlage22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.E-MailFormatvorlage23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Already tried
that, but then the user isn’t able to open e.g the
/var/log/audit/audit.log. This is also mentioned in the
sysadm_secadm.te file. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">logging_manage_audit_log(sysadm_t)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">logging_manage_audit_config(sysadm_t)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">logging_run_auditctl(sysadm_t,
sysadm_r)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">logging_stream_connect_syslog(sysadm_t)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The user is
still able to read/write SELinux config files…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:DE-AT"
lang="DE">Von:</span></b><span
style="color:windowtext;mso-fareast-language:DE-AT"
lang="DE"> Daniel J Walsh [<a moz-do-not-send="true"
href="mailto:dwalsh@redhat.com">mailto:dwalsh@redhat.com</a>]
<br>
<b>Gesendet:</b> Montag, 31. März 2014 16:59<br>
<b>An:</b> Philipp; <a moz-do-not-send="true"
href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
<b>Betreff:</b> Re: Adoption to Ref-Policy sysadm_t<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Does disabling
sysadm_secadm package give you the separation you need.<br>
<br>
semodule -d sysadm_secadm<span
style="font-size:12.0pt;mso-fareast-language:DE-AT"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">On 03/31/2014 09:22 AM, Philipp wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I am trying to adopt the reference policy
in a way that the sysadm_t domain isn’t able to open SELinux
configuration files or run any related binaries like
semange. My approach was to edit the sysadm.te file and
uncomment the related lines in there. Thus far, I haven’t
found the right entries:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I looked up with sesearch for the
following lines:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">sesearch --all -s sysadm_t -t
selinux_config_t |<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Output:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">allow sysadm_t non_security_file_type :
file { ioctl read write create getattr setattr lock
relabelfrom relabelto append unlink link rename open } ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_t non_security_file_type
: dir { ioctl read write create getattr setattr lock
relabelfrom relabelto unlink link rename add_name
remove_name reparent search rmdir open } ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_t non_security_file_type
: lnk_file { ioctl read write create getattr setattr lock
relabelfrom relabelto append unlink link rename } ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_t non_security_file_type
: chr_file { getattr relabelfrom relabelto } ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_t non_security_file_type
: blk_file { getattr relabelfrom relabelto } ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_t non_security_file_type
: sock_file { getattr relabelfrom relabelto } ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_t non_security_file_type
: fifo_file { getattr relabelfrom relabelto } ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_t file_type : filesystem
getattr ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_usertype file_type :
filesystem getattr ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_t selinux_config_t : dir
{ getattr search open } ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_usertype selinux_config_t
: file { ioctl read getattr lock open } ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_usertype selinux_config_t
: dir { ioctl read getattr lock search open } ;<o:p></o:p></p>
<p class="MsoNormal"> allow sysadm_usertype selinux_config_t
: lnk_file { read getattr } ;<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I thought that there must be some entries
corresponding the last few lines, but as already mentioned I
haven’t found any in the
rpmbuild/SOURCES/serefpolicy-3.7.19/policy/modules/roles/sysadm*
files.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">What I am doing wrong or where do I have
to change something?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thank you in advance!<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:DE-AT"><br>
<br>
<o:p></o:p></span></p>
<pre>--<o:p></o:p></pre>
<pre>selinux mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:DE-AT"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</body>
</html>