FC[5|6] strict policy and root

Stephen Smalley sds at tycho.nsa.gov
Tue Oct 24 18:42:36 UTC 2006 

On Tue, 2006-10-24 at 14:17 -0400, David Nedrow wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Has anyone successfully switched from targeted to strict policies  
> under either FC5 or FC6?
> 
> Under FC6, I switched policies and relabeled on a boot. I also booted  
> into permissive mode. From there, I did an audit2allow to generate a  
> list of items I would need to add to my running policy.
> 
> After creating the module and loading it, all of the AVC messages  
> disappear even after a reboot. So, to my way of thinking, everything  
> should be working. However, if I enable enforcement root can log in  
> but not do anything beyond that. Only a reboot with enforcing set to  
> permissive at the grub prompt gets roots login working again. Even  
> after that, there are no new AVC messages.
> 
> Does anyone have an idea as to what I'm missing?
> 
> Prior to FC5, I had no problems with the strict policy.

A few observations:
- root is not necessarily all powerful under SELinux; it depends on what
role/domain he has.  What does id show?  root often has to first newrole
-r sysadm_r in order to assume administrative privileges under strict
policy.  To enable other users to assume admin privileges, you will need
to map them to staff_u using semanage so that they can newrole to
sysadm_r and then run su or sudo as appropriate.

- Some AVC denials may not be audited due to dontaudit rules in the
policy.  These rules are to avoid flooding the audit logs with noise
from extraneous access attempts by libraries and applications that are
not truly required for operation.  In the past (before FC5), one could
re-enable all such auditing by rebuilding the policy sources with 'make
clean enableaudit load'.  With the introduction of modular policy in
FC5, you no longer have the full policy sources sitting around (unless
you grab the .src.rpm), so the policy package instead prebuilds an
enableaudit.pp file under /usr/share/selinux/(targeted|strict) that you
can install via semodule -b to re-enable auditing at least in the base
module.  But I don't believe this addresses non-base modules, which is
an issue in a highly modularized policy like strict.

- FC5 strict policy was broken for other reasons (broken
optionals-in-base support in that libsepol and checkpolicy).  That may
get sorted if Dan updates FC5 policy and rebuilds it with the latest
libsepol and checkpolicy.

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list