Good morning,
Can anyone steer me in the right direction on this? I'll hopefully have time to work this out this week.
Thank you,
Mark Salowitz
-----Original Message-----
From: Salowitz, Mark A CTR
Sent: Tuesday, October 6, 2020 9:42 AM
To: selinux(a)lists.fedoraproject.org
Subject: Best way to copy and modify existing sysadm_u?
Good morning,
Long time lurker, have an issue I'm trying to sort out. I would like to create a parallel named user to the default sysadm_u and parallel module sysadm_secadm in order to support different tiers of administrative user. My end goal is to have a minimum of two "sysadm_u" type roles, one with the sys/sec role removed to prevent unauthorized policy modification, and one with it implicitly available. For the sake of discussion, I'll call them restricted_sysadm_u and super_sysadm_u.
My plan is(was?) to dump the current policy, change the name for the target profile of either restricted_ or super_ remove anything additional I don't wish restricted_ to perform, add the sysadm_secadm transitions explicitly to super_, and assign them as appropriate to their respective physical users/automation users. I would then remove the sysadm_secadm to close to door onto the default ability to modify policy.
I've attempted to extract the CIL policy from the running module and get dozens of repeated lines in the grants, so I tried to extract the syadm.pp and sysadm_secadm.pp using semodule -E as HLL and have only been able to get them down as far as the .mod file. I have sedismod available, but there doesn't seem to be a straight path to dump the module down to its constituent elements.
Is there an easy way to extract the type enforcement and file contexts from the xyz.mod file?
Is there an easier way to go about doing this without starting from scratch with a clean user?
Is there a shortcut I have completely overlooked?
Thanks very much in advance,
Mark Salowitz