-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/03/2013 02:28 AM, Anamitra Dutta Majumdar (anmajumd) wrote:
We need to constrain a tomcat escalated root user from executing
"useradd"
and "semanage" commands on RHEL6.
Can we add a SELinux constraint policy to achieve the same?
A tomcat escalated root user (I.e when a "tomcat" user escalates to the
"root" user on the system) has the following security context
uid=0(*root*) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=system_u:system_r:*tomcatd_t*:SystemLow-SystemHigh
The logic of this constraint should be be as follows..
If id="root" and source type="tomcatd_t"
Then disallow domain transition to both "useradd_/exec_t" as well as
"semanage_/exec_t"
1. Is this something doable through an SELinux constrain policy. 2. If so
what should be the syntax of the policy.
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
This is a type enforcement issue not a constraint issue. tomcatd can be
prevented from running useradd_t regardless of its UID, and more importantly
should not be allowed to write /etc/passwd (etc_t) or /etc/shadow (shadow_t).
No constraint needed to do this. Just don't allow t to write etc_t and shadow_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlIl04QACgkQrlYvE4MpobPlFACfQLOx5tnOBAyVCgvocPUuzkgE
viEAn1q6SZ9AWu+BtMEkIhKbpfNODg9W
=X9Ks
-----END PGP SIGNATURE-----