AW: WG: Adoption to Ref-Policy sysadm_t
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 31 19:35:09 UTC 2014
Fedora policy is more complete. We list all of selinux policy config
types as security_files
grep files_security_file selinuxutil.te
files_security_file(selinux_config_t)
files_security_file(selinux_login_config_t)
files_security_file(default_context_t)
files_security_file(file_context_t)
files_security_file(semanage_store_t)
On 03/31/2014 03:25 PM, Philipp wrote:
>
> Yes, config/SELinux is in MLS mode. Currently running with my self
> compiled one.
>
>
>
> I know that it is not possible to really stop such an admin, I want to
> make it more difficult to attack the system. It also shouldn’t be
> possible to change file contexts (from a special directory), but that
> would be the next step…
>
>
>
> Do you have any hints where to search for those rules (discussed
> before) or why do they get generated even if I comment out the rules
> in sysadm.te?
>
>
>
> I commented out the following entries in sysadm.te
>
>
>
> #optional_policy(`
>
> # secadm_role_change(sysadm_r)
>
> #')
>
>
>
> #optional_policy(`
>
> # seutil_run_setfiles(sysadm_t, sysadm_r)
>
> # seutil_run_runinit(sysadm_t, sysadm_r)
>
> #')
>
>
>
> That are the most appropriate entries…
>
>
>
> Thanks!
>
>
>
> *Von:*Daniel J Walsh [mailto:dwalsh at redhat.com]
> *Gesendet:* Montag, 31. März 2014 20:19
> *An:* Philipp; selinux at lists.fedoraproject.org
> *Betreff:* Re: WG: Adoption to Ref-Policy sysadm_t
>
>
>
> Yes that separation is more used in MLS Mdde.
>
> Is SELinux config files in MLS Mode.
>
> But if you are trying to stop an evil admin, I believe you will not be
> able to get it done. Removing sysadm privs is kind of difficult and
> backwards. You really want to define what an admin can do, rather
> then can't.
>
> On 03/31/2014 11:04 AM, Philipp wrote:
>
>
>
> Already tried that, but then the user isn’t able to open e.g the
> /var/log/audit/audit.log. This is also mentioned in the
> sysadm_secadm.te file.
>
>
>
> logging_manage_audit_log(sysadm_t)
>
> logging_manage_audit_config(sysadm_t)
>
> logging_run_auditctl(sysadm_t, sysadm_r)
>
> logging_stream_connect_syslog(sysadm_t)
>
>
>
>
>
> The user is still able to read/write SELinux config files…
>
>
>
> *Von:*Daniel J Walsh [mailto:dwalsh at redhat.com]
> *Gesendet:* Montag, 31. März 2014 16:59
> *An:* Philipp; selinux at lists.fedoraproject.org
> <mailto:selinux at lists.fedoraproject.org>
> *Betreff:* Re: Adoption to Ref-Policy sysadm_t
>
>
>
> Does disabling sysadm_secadm package give you the separation you need.
>
> semodule -d sysadm_secadm
>
> On 03/31/2014 09:22 AM, Philipp wrote:
>
> Hi all,
>
>
>
> I am trying to adopt the reference policy in a way that the
> sysadm_t domain isn’t able to open SELinux configuration files
> or run any related binaries like semange. My approach was to
> edit the sysadm.te file and uncomment the related lines in
> there. Thus far, I haven’t found the right entries:
>
>
>
> I looked up with sesearch for the following lines:
>
>
>
> sesearch --all -s sysadm_t -t selinux_config_t |
>
>
>
> Output:
>
>
>
> allow sysadm_t non_security_file_type : file { ioctl read
> write create getattr setattr lock relabelfrom relabelto append
> unlink link rename open } ;
>
> allow sysadm_t non_security_file_type : dir { ioctl read
> write create getattr setattr lock relabelfrom relabelto unlink
> link rename add_name remove_name reparent search rmdir open } ;
>
> allow sysadm_t non_security_file_type : lnk_file { ioctl
> read write create getattr setattr lock relabelfrom relabelto
> append unlink link rename } ;
>
> allow sysadm_t non_security_file_type : chr_file { getattr
> relabelfrom relabelto } ;
>
> allow sysadm_t non_security_file_type : blk_file { getattr
> relabelfrom relabelto } ;
>
> allow sysadm_t non_security_file_type : sock_file { getattr
> relabelfrom relabelto } ;
>
> allow sysadm_t non_security_file_type : fifo_file { getattr
> relabelfrom relabelto } ;
>
> allow sysadm_t file_type : filesystem getattr ;
>
> allow sysadm_usertype file_type : filesystem getattr ;
>
> allow sysadm_t selinux_config_t : dir { getattr search open } ;
>
> allow sysadm_usertype selinux_config_t : file { ioctl read
> getattr lock open } ;
>
> allow sysadm_usertype selinux_config_t : dir { ioctl read
> getattr lock search open } ;
>
> allow sysadm_usertype selinux_config_t : lnk_file { read
> getattr } ;
>
>
>
>
>
> I thought that there must be some entries corresponding the
> last few lines, but as already mentioned I haven’t found any
> in the
> rpmbuild/SOURCES/serefpolicy-3.7.19/policy/modules/roles/sysadm*
> files.
>
>
>
> What I am doing wrong or where do I have to change something?
>
>
>
> Thank you in advance!
>
>
>
>
> --
>
> selinux mailing list
>
> selinux at lists.fedoraproject.org <mailto:selinux at lists.fedoraproject.org>
>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
>
>
> --
>
> selinux mailing list
>
> selinux at lists.fedoraproject.org <mailto:selinux at lists.fedoraproject.org>
>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140331/d344b82b/attachment.html>
More information about the selinux
mailing list