From: Andy Ruch <adruch2002@yahoo.com>
To: SELinux ML <selinux@tycho.nsa.gov>
Subject: sudo best practices
Date: Fri, 22 Mar 2013 13:16:28 -0700 (PDT) [thread overview]
Message-ID: <1363983388.48128.YahooMailNeo@web163406.mail.gq1.yahoo.com> (raw)
Hello,
I’m requesting information on some “best practices” regarding using sudo in an SELinux environment. I’m implementing a very locked down RHEL6 system using the Reference Policy as a base. The following scenario is just one example of many use cases, so don’t worry about the “mounting” details, just the sudo aspect.
Scenario:
Auditadm role needs the ability to mount a drive. However, I don’t want auditadm to be able to mount anything else. Therefore, I’ve created a script (mymount.sh) to mount a particular drive in a particular location. The script also does some extra stuff around the mount command for convenience and logging. The script is labeled mymount_exec_t. When executed, it will transition to mymount_t. Rules were created so that Auditadm is allowed to execute mymount_exec_t and transition appropriately to mymount_t. Because mounting a drive requires root permissions, sudo must be used somewhere. Currently, I made the script only executable by root. Auditadm then executes the script using sudo. My reasoning for this was to allow sudo to be executed using the built-in sudo domain for auditadm (auditadm_sudo_t). Then all I had to do was allow my script domain (mymount_t) to run mount.
Problem:
I discovered that ‘sudo_role_template’ allows the auditadm sudo domain to execute all executables (corecmd_exec_all_executables). I didn’t necessarily want to grant auditadm the ability to execute any command as sudo. For example, I have other scripts that should only be executed by sysadm. At the same time, auditadm needs to be able to use sudo for day-to-day responsibilities such as ls, less, cp, etc. for working with /var/log/audit/*.
Questions:
1) What are the “best practices” regarding using sudo?
2) What’s the best way to allow some sudo access but restrict others?
3) In the above example, would it be better to call sudo just on the mount command? Then I would have to allow all permissions for mymount_t to run sudo.
Thanks,
Andy Ruch
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2013-03-22 20:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-22 20:16 Andy Ruch [this message]
2013-03-24 20:26 ` sudo best practices Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1363983388.48128.YahooMailNeo@web163406.mail.gq1.yahoo.com \
--to=adruch2002@yahoo.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.