Already tried that, but then the user isn’t able to open e.g the /var/log/audit/audit.log. This is also mentioned in the sysadm_secadm.te file.

 

logging_manage_audit_log(sysadm_t)

logging_manage_audit_config(sysadm_t)

logging_run_auditctl(sysadm_t, sysadm_r)

logging_stream_connect_syslog(sysadm_t)

 

 

The user is still able to read/write SELinux config files…

 

Von: Daniel J Walsh [mailto:dwalsh@redhat.com]
Gesendet: Montag, 31. März 2014 16:59
An: Philipp; selinux@lists.fedoraproject.org
Betreff: Re: Adoption to Ref-Policy sysadm_t

 

Does disabling sysadm_secadm package give you the separation you need.

semodule -d sysadm_secadm

On 03/31/2014 09:22 AM, Philipp wrote:

Hi all,

 

I am trying to adopt the reference policy in a way that the sysadm_t domain isn’t able to open SELinux configuration files or run any related binaries like semange. My approach was to edit the sysadm.te file and uncomment the related lines in there. Thus far, I haven’t found the right entries:

 

I looked up with sesearch for the following lines:

 

sesearch --all -s sysadm_t -t selinux_config_t |

 

Output:

 

allow sysadm_t non_security_file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;

   allow sysadm_t non_security_file_type : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;

   allow sysadm_t non_security_file_type : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;

   allow sysadm_t non_security_file_type : chr_file { getattr relabelfrom relabelto } ;

   allow sysadm_t non_security_file_type : blk_file { getattr relabelfrom relabelto } ;

   allow sysadm_t non_security_file_type : sock_file { getattr relabelfrom relabelto } ;

   allow sysadm_t non_security_file_type : fifo_file { getattr relabelfrom relabelto } ;

   allow sysadm_t file_type : filesystem getattr ;

   allow sysadm_usertype file_type : filesystem getattr ;

   allow sysadm_t selinux_config_t : dir { getattr search open } ;

   allow sysadm_usertype selinux_config_t : file { ioctl read getattr lock open } ;

   allow sysadm_usertype selinux_config_t : dir { ioctl read getattr lock search open } ;

   allow sysadm_usertype selinux_config_t : lnk_file { read getattr } ;

 

 

I thought that there must be some entries corresponding the last few lines, but as already mentioned I haven’t found any in the rpmbuild/SOURCES/serefpolicy-3.7.19/policy/modules/roles/sysadm* files.

 

What I am doing wrong or where do I have to change something?

 

Thank you in advance!



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux