SELinux constrain policy for escalated root user
Dominick Grift
dominick.grift at gmail.com
Tue Sep 3 07:39:59 UTC 2013
On Tue, 2013-09-03 at 06:28 +0000, Anamitra Dutta Majumdar (anmajumd)
wrote:
> We need to constrain a tomcat escalated root user from executing "useradd" and "semanage" commands on RHEL6.
>
> Can we add a SELinux constraint policy to achieve the same?
>
> A tomcat escalated root user (I.e when a "tomcat" user escalates to the "root" user on the system)
> has the following security context
>
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=system_u:system_r:tomcatd_t:SystemLow-SystemHigh
>
> The logic of this constraint should be be as follows..
>
> If id="root" and source type="tomcatd_t"
>
> Then disallow domain transition to both "useradd_exec_t" as well as "semanage_exec_t"
>
> 1. Is this something doable through an SELinux constrain policy.
> 2. If so what should be the syntax of the policy.
> --
I do not believe you can use traditional Linux security identifiers
(uid/gid) in policy constrain statements
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list