Adoption to Ref-Policy sysadm_t

Daniel J Walsh dwalsh at redhat.com
Mon Mar 31 14:58:48 UTC 2014 

Does disabling sysadm_secadm package give you the separation you need.

semodule -d sysadm_secadm

On 03/31/2014 09:22 AM, Philipp wrote:
>
> Hi all,
>
>  
>
> I am trying to adopt the reference policy in a way that the sysadm_t
> domain isn’t able to open SELinux configuration files or run any
> related binaries like semange. My approach was to edit the sysadm.te
> file and uncomment the related lines in there. Thus far, I haven’t
> found the right entries:
>
>  
>
> I looked up with sesearch for the following lines:
>
>  
>
> sesearch --all -s sysadm_t -t selinux_config_t |
>
>  
>
> Output:
>
>  
>
> allow sysadm_t non_security_file_type : file { ioctl read write create
> getattr setattr lock relabelfrom relabelto append unlink link rename
> open } ;
>
>    allow sysadm_t non_security_file_type : dir { ioctl read write
> create getattr setattr lock relabelfrom relabelto unlink link rename
> add_name remove_name reparent search rmdir open } ;
>
>    allow sysadm_t non_security_file_type : lnk_file { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink link
> rename } ;
>
>    allow sysadm_t non_security_file_type : chr_file { getattr
> relabelfrom relabelto } ;
>
>    allow sysadm_t non_security_file_type : blk_file { getattr
> relabelfrom relabelto } ;
>
>    allow sysadm_t non_security_file_type : sock_file { getattr
> relabelfrom relabelto } ;
>
>    allow sysadm_t non_security_file_type : fifo_file { getattr
> relabelfrom relabelto } ;
>
>    allow sysadm_t file_type : filesystem getattr ;
>
>    allow sysadm_usertype file_type : filesystem getattr ;
>
>    allow sysadm_t selinux_config_t : dir { getattr search open } ;
>
>    allow sysadm_usertype selinux_config_t : file { ioctl read getattr
> lock open } ;
>
>    allow sysadm_usertype selinux_config_t : dir { ioctl read getattr
> lock search open } ;
>
>    allow sysadm_usertype selinux_config_t : lnk_file { read getattr } ;
>
>  
>
>  
>
> I thought that there must be some entries corresponding the last few
> lines, but as already mentioned I haven’t found any in the
> rpmbuild/SOURCES/serefpolicy-3.7.19/policy/modules/roles/sysadm* files.
>
>  
>
> What I am doing wrong or where do I have to change something?
>
>  
>
> Thank you in advance!
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140331/c4018324/attachment.html>

More information about the selinux mailing list