-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/03/2013 01:00 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Daniel,
We still need tomcat to be able to run useradd and semanage command.
Tomcat context is uid=502(tomcat) gid=502(tomcat)
groups=500(sftpuser),501(platform),502(tomcat),505(informix),
506(ccmbase),509(ccmsyslog),575(download)
context=system_u:system_r:tomcatd_t:SystemLow-SystemHigh
However we do not want this capability for a "tomcat escalated root" user.
So we need to differentiate between a "tomcat escalated root" and the
"tomcat" users here. We do not want the "tomcat escalated root user"
to
execute useradd and semanage commands but the tomcat "user" Still needs
that capability.
Is this doable through type enforcements.
Thanks, Anamitra
Well you would have two different types.
tomcat_t and tomcat_root_t
SELinux knows nothing about UID. It knows a little about capabilties.
And why should the non root user be allowed to execute semanage and useradd?
BTW Both users are allowed to execute those commands but neither is allowed to
manipulate /etc/passwd, or /etc/shadow or /etc/selinux/*
On 9/3/13 5:18 AM, "Daniel J Walsh"
<dwalsh(a)redhat.com> wrote:
On 09/03/2013 02:28 AM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>> We need to constrain a tomcat escalated root user from executing
>>> "useradd" and "semanage" commands on RHEL6.
>>>
>>> Can we add a SELinux constraint policy to achieve the same?
>>>
>>> A tomcat escalated root user (I.e when a "tomcat" user escalates
to
>>> the "root" user on the system) has the following security context
>>>
>>> uid=0(*root*) gid=0(root)
>>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>>> context=system_u:system_r:*tomcatd_t*:SystemLow-SystemHigh
>>>
>>> The logic of this constraint should be be as follows..
>>>
>>> If id="root" and source type="tomcatd_t"
>>>
>>> Then disallow domain transition to both "useradd_/exec_t" as well
as
>>> "semanage_/exec_t"
>>>
>>> 1. Is this something doable through an SELinux constrain policy. 2.
>>> If so what should be the syntax of the policy.
>>>
>>>
>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
This is a type enforcement issue not a constraint issue. tomcatd can be
prevented from running useradd_t regardless of its UID, and more
importantly should not be allowed to write /etc/passwd (etc_t) or
/etc/shadow (shadow_t).
No constraint needed to do this. Just don't allow t to write etc_t and
shadow_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlImIbEACgkQrlYvE4MpobPzhgCfRYkoZj7mWpSbSaTvCEVeZ1PJ
RpEAn2uGyz33KVZ5hMls6nT0nJf+Ayag
=IGMe
-----END PGP SIGNATURE-----