[PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package)
KaiGai Kohei
kaigai at ak.jp.nec.com
Fri Apr 9 05:29:54 UTC 2010
(2010/04/08 21:15), Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> As Dominick stated. I prefer to think in terms of two different roles.
> Login Roles, and Roles to execute in when you have privileges (IE Root).
>
> Login Roles/Types
> staff_t, user_t, unconfined_t, xguest_t, guest_t
>
> Three interfaces can be used to create confined login users.
>
> userdom_restricted_user_template(guest)
> userdom_restricted_xwindows_user_template(xguest)
> userdom_unpriv_user_template(staff)
>
>
> Admin Roles/Types
> logadm_t, webadm_t, secadm_t, auditadm_t
>
> The following interface can be used to create an Admin ROle
> userdom_base_user_template(logadm)
>
>
> sysadm_t is sort of a hybrid, most people use it as an Admin Role.
>
>
> I imagine that you login as a confined user and then use sudo/newrole to
> switch roles to one of the admin roles.
The attached patch revises roles/dbadm.te (to be applied on the upstream
reference policy). It uses userdom_base_user_template() instead of the
userdom_unpriv_user_template(), and should be launched via sudo/newrole.
In the default, it intends the dbadm_r role to be launched by staff_r role.
What I did)
[root at saba ~]# semodule -i ~kaigai/repo/refpolicy/policy/modules/roles/dbadm.pp
[root at saba ~]# semanage user -m -P user -r s0-s0:c0.c1023 -R "dbadm_r staff_r system_r" ymj_u
[root at saba ~]# semanage login -a -s ymj_u ymj
[root at saba ~]# echo "ymj ALL=(ALL) TYPE=dbadm_t ROLE=dbadm_r NOPASSWD:/sbin/service" >> /etc/sudoers
[root at saba ~]# cp /etc/selinux/targeted/contexts/users/staff_u \
/etc/selinux/targeted/contexts/users/ymj_u
[root at saba ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
webadm_u user s0 s0 webadm_r
xguest_u user s0 s0 xguest_r
ymj_u user s0 s0-s0:c0.c1023 dbadm_r staff_r system_r
[root at saba ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
ymj ymj_u s0
[root at saba ~]# ssh ymj at localhost
ymj at localhost's password:
Last login: Fri Apr 9 13:59:32 2010 from localhost
[ymj at saba ~]$ id -Z
ymj_u:staff_r:staff_t:s0
[ymj at saba ~]$ sudo service sepostgresql restart
Stopping sepostgresql service: [ OK ]
Starting sepostgresql service: [ OK ]
[ymj at saba ~]$ ps -AZ | grep sepostgres
ymj_u:system_r:postgresql_t:s0 1171 ? 00:00:01 sepostgres
ymj_u:system_r:postgresql_t:s0 1176 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1177 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1178 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1179 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1180 ? 00:00:00 sepostgres
[ymj at saba ~]$ newrole -r dbadm_r -t dbadm_t
Password:
[ymj at saba ~]$ psql postgres
psql (8.4.3, server 9.0alpha5)
WARNING: psql version 8.4, server version 9.0.
Some psql features might not work.
Type "help" for help.
postgres=> SELECT sepgsql_getcon();
sepgsql_getcon
--------------------------
ymj_u:dbadm_r:dbadm_t:s0
(1 row)
postgres=> CREATE TABLE my_table (a int, b text);
CREATE TABLE
postgres=> SELECT * FROM my_table;
ERROR: SELinux: security policy violation
> Of course you are free to design your own system creating fully login
> admin roles. Or creating addinitional non admin user roles.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZPjtHNqI5Jf3UHRs
> Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd
> =q1nL
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
--
KaiGai Kohei <kaigai at ak.jp.nec.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-dbadm-revise.1.patch
Type: text/x-patch
Size: 1827 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100409/b4a9094c/attachment-0001.bin
More information about the selinux
mailing list