I'm curious why the ypcat cron with a make reload would present its own issues. I guess it must be a security context issue since I'm new to it.
Is there a better alternative to visiting each machine manually and adding the line to /etc/selinux/users (assuming that's where it is on my Fedora Core 2 machine)? I see there's something about local policy changes being placed in /etc/security/selinux/src/policy/domains/misc/. Can I also put a users in there (or somewhere else). If so, I suppose I could have a central NFS auto-mounted location for my local users file. So at boot time, I have a nice sane policy (your default which maps all users to user user_u. But when everything is finished booting I have some additional information for my users wherever you tell me to add it. I guess my rc.local would then need to perform a make reload to incorporate this additional information. Would this be an easy and sustainable way to achieve what I want?
Do you have any better ideas? I can't be the only person who wants to do this, can I? I feel like what I'm asking is not unreasonable. Is SELinux intended for single machines working in insecure environments?
Daniel J. Levine Section Supervisor Johns Hopkins University Applied Physics Laboratory 443-778-3952 240-228-3952
-----Original Message----- From: Russell Coker [mailto:russell@coker.com.au] Sent: Thursday, June 10, 2004 9:46 AM To: fedora-selinux-list@redhat.com Cc: Levine, Daniel J.; Stephen Smalley Subject: Re: Getting the user ID in log messages...
On Thu, 10 Jun 2004 22:17, "Levine, Daniel J." Daniel.Levine@jhuapl.edu wrote:
Thanks, I managed to figure that out from the "Getting Started with
SELinux
HOWTO" from the adding a user section. For a standalone system, I can see how this is no big deal. Every time I add a user, I add the user to the /etc/selinux/users file. But suppose I have 100 machines, I would need to add it to 100 systems. This is why I use NIS to manage my password and shadow files. I suppose one homegrown solution would be to put /etc/selinux/users into an NIS map (users.byname) and periodically (every half-hour perhaps) have a cron job perform a ypcat users.byname > /etc/selinux/users. Is there a standard map one could use or a PAM module that's aware of such needs.
There is no standard way of doing this. Maybe you will set the standard if you do it first! ;)
Having a cron job automatically generate and load a SE Linux policy has it's own issues as well.
Suppose I wasn't using something as old as NIS, like OpenLDAP, is there a standard mechanism for putting this information into its databases? And
if
not, should there be one?
Probably there should. But we'll need to get an OID assigned for this.
Perhaps my problem is simpler to solve than this. All I really need is
the
user ID of the person who logged in to the system. This identifies whose account was used to perpetrate the illegal access. Could the user ID number and user name be added to the log messages when violations occur?
At the moment no. Maybe this is something for the audit facility rather than SE Linux kernel code.
-- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
On Thu, 2004-06-10 at 10:50, Levine, Daniel J. wrote:
I'm curious why the ypcat cron with a make reload would present its own issues. I guess it must be a security context issue since I'm new to it.
crond is typically not authorized to perform such operations in the policy. But even if you were willing to trust crond in this manner, there is the question of the input to crond. Are you just trying to add all of these users and only authorize them for user_r? If so, then that is less of a concern. But if you want to pull user-role authorizations from a NIS map, then you obviously have other trust dependencies, e.g. protection of the server, authentication and integrity protection for the client-server communications, etc.
If so, I suppose I could have a central
NFS auto-mounted location for my local users file. So at boot time, I have a nice sane policy (your default which maps all users to user user_u. But when everything is finished booting I have some additional information for my users wherever you tell me to add it. I guess my rc.local would then need to perform a make reload to incorporate this additional information. Would this be an easy and sustainable way to achieve what I want?
Easy, sustainable, and unsafe, obviously. Compromise of the server or spoofing the server would allow you to inject arbitrary user-role authorizations.
Do you have any better ideas? I can't be the only person who wants to do this, can I? I feel like what I'm asking is not unreasonable. Is SELinux intended for single machines working in insecure environments?
We have to walk before we can run. Distributed policy management is something that needs to be built for SELinux, but we couldn't get there if we didn't have SELinux at all...
selinux@lists.fedoraproject.org