All of lore.kernel.org
 help / color / mirror / Atom feed
* questions about sysadm
@ 2003-11-11 20:29 lky
  2003-11-11 21:05 ` Russell Coker
  0 siblings, 1 reply; 3+ messages in thread
From: lky @ 2003-11-11 20:29 UTC (permalink / raw)
  To: SELINUX

[-- Attachment #1: Type: text/plain, Size: 3160 bytes --]

Hi,I don't know why thers is sysadm in SELinux. Because it can do everything just like root of the traditional Linux.Is it secure? 

So I want to add a security administrator to the SELinux system and delete the security administration right from the sysadm. I add a user named secadm with the role secadm_r the type secadm_t as the securiry administrator. Secadm can access the contents under /etc/security/selinux and forbid sysadm to access it. Now I think I can do that.But the problem is that I can't run 'make reload' or 'make relabel' as secadm.When I run 'make reload' the errors as below:
-------------------------------------------------------------------------------------------------------
/usr/sbin/load_policy /etc/security/selinux/policy.15-mls
/usr/sbin/load_policy:  security_load_policy failed
make: *** [reload] Error 3
-------------------------------------------------------------------------------------------------------
I have done the following steps:
In checkpolicy.te, I have added 
-------------------------------------------------------------------------------------------------------
role secadm_r types checkpolicy_t;
domain_auto_trans(secadm_t,checkpolicy_exec_t,checkpolicy_t)
-------------------------------------------------------------------------------------------------------
And I have created the secadm.te file as below:
-------------------------------------------------------------------------------------------------------
full_user_role(secadm)
allow system_r secadm_r;
allow sysadm_r secadm_r;
allow secadm_t policy_src_t:{ file lnk_file sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
allow secadm_t policy_src_t:dir { create read getattr lock setattr link unlink rename search add_name remove_name reparent write rmdir };
allow secadm_t policy_src_t:file { execute execute_no_trans };
allow secadm_t policy_config_t:dir { getattr search read write };
allow secadm_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow secadm_t security_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow secadm_t security_t:dir { create read getattr lock setattr link unlink rename search add_name remove_name reparent write rmdir };
allow secadm_t checkpolicy_exec_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-------------------------------------------------------------------------------------------------------
At the same time I commented out the following lines in admin_macros.te:
---------------------------------------------------------------------------------------------------
allow $1_t policy_config_t:dir ......
allow $1_t policy_config_t:file ......
---------------------------------------------------------------------------------------------------
How can I run 'make reload' as secadm so I can modify the policy and install load the new policy as secadm? 

Another question:
How can I forbid the deny messages displayed on the screen? I just want them to only be outputed to the log files.
Thanks!

[-- Attachment #2: Type: text/html, Size: 4316 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: questions about sysadm
  2003-11-11 20:29 questions about sysadm lky
@ 2003-11-11 21:05 ` Russell Coker
  2003-11-12 17:00   ` lky
  0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2003-11-11 21:05 UTC (permalink / raw)
  To: lky, SELINUX

On Wed, 12 Nov 2003 07:29, lky wrote:
> Hi,I don't know why thers is sysadm in SELinux. Because it can do
> everything just like root of the traditional Linux.Is it secure?

It can't do everything that root can do.  Try creating device nodes, piping 
fsck output to a file, directly accessing block devices, etc.

> So I want to add a security administrator to the SELinux system and delete
> the security administration right from the sysadm. I add a user named
> secadm with the role secadm_r the type secadm_t as the securiry
> administrator. Secadm can access the contents under /etc/security/selinux
> and forbid sysadm to access it. Now I think I can do that.But the problem
> is that I can't run 'make reload' or 'make relabel' as secadm.When I run
> 'make reload' the errors as below:

Edit load_policy.te appropriately and change the lines referring to sysadm_r 
and sysadm_t.

But this is not all you need.  sysadm_t can still modify almost every file on 
the system, so it will be easy for them to get secadm_r if they want.

Implementing a sysadm vs secadm split will be really difficult.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: questions about sysadm
  2003-11-11 21:05 ` Russell Coker
@ 2003-11-12 17:00   ` lky
  0 siblings, 0 replies; 3+ messages in thread
From: lky @ 2003-11-12 17:00 UTC (permalink / raw)
  To: SELINUX, russell

On Wednesday, November 12, 2003 5:05 AM,Russell Coker wrote:
> Edit load_policy.te appropriately and change the lines referring to sysadm_r 
> and sysadm_t.
> 
> But this is not all you need.  sysadm_t can still modify almost every file on 
> the system, so it will be easy for them to get secadm_r if they want.
> 
> Implementing a sysadm vs secadm split will be really difficult.

I tried to edit load_policy.te as follows:

---------------------------------------------------------------------------------
type load_policy_t, domain;
#role sysadm_r types load_policy_t;

###############################################
role secadm_r types load_policy_t;
###############################################

#type load_policy_exec_t, file_type, exec_type, sysadmfile;
type load_policy_exec_t, file_type, exec_type;

# 
# Rules

#domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)

#############################################
domain_auto_trans(secadm_t, load_policy_exec_t, load_policy_t)
############################################

# for running it from an init script
domain_auto_trans(initrc_t, load_policy_exec_t, load_policy_t)
allow load_policy_t init_t:fd use;
allow load_policy_t console_device_t:chr_file { read write };
role system_r types load_policy_t;

ifdef(`dpkg.te', `
domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t)
')

# Reload the policy configuration (sysadm_t no longer has this ability)
can_loadpol(load_policy_t)

###########################################
allow load_policy_t locale_t:file { read getattr };
allow load_policy_t locale_t:dir { search };
allow load_policy_t secadm_tty_device_t:chr_file { read write };
##########################################

# constrain from where load_policy can load a policy, specifically 
# policy_config_t files 
#

# only allow read of policy config files
allow load_policy_t policy_config_t:dir r_dir_perms;
allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;

# directory search permissions for path to binary policy files
allow load_policy_t root_t:dir search;
allow load_policy_t etc_t:dir search;

# Read the devpts root directory (needed?)  
allow load_policy_t devpts_t:dir r_dir_perms;

# Other access
allow load_policy_t { initrc_devpts_t admin_tty_type }:chr_file { read write ioctl getattr };
uses_shlib(load_policy_t)
allow load_policy_t self:capability dac_override;

allow load_policy_t { initrc_t privfd }:fd use;

allow load_policy_t fs_t:filesystem getattr;

#allow load_policy_t sysadm_tmp_t:file { getattr write } ;
allow load_policy_t secadm_tmp_t:file { getattr write };
-------------------------------------------------------

But I still can't run 'make reload'or 'make relabel'.The same errors are there:

-------------------------------------------------------
/usr/sbin/load_policy /etc/security/selinux/policy.15-mls
/usr/sbin/load_policy:  security_load_policy failed
make: *** [reload] Error 3
----------------------------------------------------------------------------------------
How should I modify the load_policy.te? The error message is too simple to figure out the direct reason.Should I need to modify some other files? I think perhaps secadm lacks some rights. Secadm is created as a common user with fully access rights to /selinux/src/policy/. I have modified checkpolicy.te and load_policy.te in order to let secadm can checkpolicy and load it. But now  secadm can only check the policy while can't load the policy.
Thanks!


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-11-12 16:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-11-11 20:29 questions about sysadm lky
2003-11-11 21:05 ` Russell Coker
2003-11-12 17:00   ` lky

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.