SELinux constrain policy for escalated root user
Daniel J Walsh
dwalsh at redhat.com
Tue Sep 3 12:18:12 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/03/2013 02:28 AM, Anamitra Dutta Majumdar (anmajumd) wrote:
> We need to constrain a tomcat escalated root user from executing "useradd"
> and "semanage" commands on RHEL6.
>
> Can we add a SELinux constraint policy to achieve the same?
>
> A tomcat escalated root user (I.e when a "tomcat" user escalates to the
> "root" user on the system) has the following security context
>
> uid=0(*root*) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=system_u:system_r:*tomcatd_t*:SystemLow-SystemHigh
>
> The logic of this constraint should be be as follows..
>
> If id="root" and source type="tomcatd_t"
>
> Then disallow domain transition to both "useradd_/exec_t" as well as
> "semanage_/exec_t"
>
> 1. Is this something doable through an SELinux constrain policy. 2. If so
> what should be the syntax of the policy.
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
This is a type enforcement issue not a constraint issue. tomcatd can be
prevented from running useradd_t regardless of its UID, and more importantly
should not be allowed to write /etc/passwd (etc_t) or /etc/shadow (shadow_t).
No constraint needed to do this. Just don't allow t to write etc_t and shadow_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIl04QACgkQrlYvE4MpobPlFACfQLOx5tnOBAyVCgvocPUuzkgE
viEAn1q6SZ9AWu+BtMEkIhKbpfNODg9W
=X9Ks
-----END PGP SIGNATURE-----
More information about the selinux
mailing list