* questions about sysadm
@ 2003-11-11 20:29 lky
2003-11-11 21:05 ` Russell Coker
0 siblings, 1 reply; 3+ messages in thread
From: lky @ 2003-11-11 20:29 UTC (permalink / raw)
To: SELINUX
[-- Attachment #1: Type: text/plain, Size: 3160 bytes --]
Hi,I don't know why thers is sysadm in SELinux. Because it can do everything just like root of the traditional Linux.Is it secure?
So I want to add a security administrator to the SELinux system and delete the security administration right from the sysadm. I add a user named secadm with the role secadm_r the type secadm_t as the securiry administrator. Secadm can access the contents under /etc/security/selinux and forbid sysadm to access it. Now I think I can do that.But the problem is that I can't run 'make reload' or 'make relabel' as secadm.When I run 'make reload' the errors as below:
-------------------------------------------------------------------------------------------------------
/usr/sbin/load_policy /etc/security/selinux/policy.15-mls
/usr/sbin/load_policy: security_load_policy failed
make: *** [reload] Error 3
-------------------------------------------------------------------------------------------------------
I have done the following steps:
In checkpolicy.te, I have added
-------------------------------------------------------------------------------------------------------
role secadm_r types checkpolicy_t;
domain_auto_trans(secadm_t,checkpolicy_exec_t,checkpolicy_t)
-------------------------------------------------------------------------------------------------------
And I have created the secadm.te file as below:
-------------------------------------------------------------------------------------------------------
full_user_role(secadm)
allow system_r secadm_r;
allow sysadm_r secadm_r;
allow secadm_t policy_src_t:{ file lnk_file sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
allow secadm_t policy_src_t:dir { create read getattr lock setattr link unlink rename search add_name remove_name reparent write rmdir };
allow secadm_t policy_src_t:file { execute execute_no_trans };
allow secadm_t policy_config_t:dir { getattr search read write };
allow secadm_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow secadm_t security_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow secadm_t security_t:dir { create read getattr lock setattr link unlink rename search add_name remove_name reparent write rmdir };
allow secadm_t checkpolicy_exec_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-------------------------------------------------------------------------------------------------------
At the same time I commented out the following lines in admin_macros.te:
---------------------------------------------------------------------------------------------------
allow $1_t policy_config_t:dir ......
allow $1_t policy_config_t:file ......
---------------------------------------------------------------------------------------------------
How can I run 'make reload' as secadm so I can modify the policy and install load the new policy as secadm?
Another question:
How can I forbid the deny messages displayed on the screen? I just want them to only be outputed to the log files.
Thanks!
[-- Attachment #2: Type: text/html, Size: 4316 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: questions about sysadm
2003-11-11 20:29 questions about sysadm lky
@ 2003-11-11 21:05 ` Russell Coker
2003-11-12 17:00 ` lky
0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2003-11-11 21:05 UTC (permalink / raw)
To: lky, SELINUX
On Wed, 12 Nov 2003 07:29, lky wrote:
> Hi,I don't know why thers is sysadm in SELinux. Because it can do
> everything just like root of the traditional Linux.Is it secure?
It can't do everything that root can do. Try creating device nodes, piping
fsck output to a file, directly accessing block devices, etc.
> So I want to add a security administrator to the SELinux system and delete
> the security administration right from the sysadm. I add a user named
> secadm with the role secadm_r the type secadm_t as the securiry
> administrator. Secadm can access the contents under /etc/security/selinux
> and forbid sysadm to access it. Now I think I can do that.But the problem
> is that I can't run 'make reload' or 'make relabel' as secadm.When I run
> 'make reload' the errors as below:
Edit load_policy.te appropriately and change the lines referring to sysadm_r
and sysadm_t.
But this is not all you need. sysadm_t can still modify almost every file on
the system, so it will be easy for them to get secadm_r if they want.
Implementing a sysadm vs secadm split will be really difficult.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: questions about sysadm
2003-11-11 21:05 ` Russell Coker
@ 2003-11-12 17:00 ` lky
0 siblings, 0 replies; 3+ messages in thread
From: lky @ 2003-11-12 17:00 UTC (permalink / raw)
To: SELINUX, russell
On Wednesday, November 12, 2003 5:05 AM,Russell Coker wrote:
> Edit load_policy.te appropriately and change the lines referring to sysadm_r
> and sysadm_t.
>
> But this is not all you need. sysadm_t can still modify almost every file on
> the system, so it will be easy for them to get secadm_r if they want.
>
> Implementing a sysadm vs secadm split will be really difficult.
I tried to edit load_policy.te as follows:
---------------------------------------------------------------------------------
type load_policy_t, domain;
#role sysadm_r types load_policy_t;
###############################################
role secadm_r types load_policy_t;
###############################################
#type load_policy_exec_t, file_type, exec_type, sysadmfile;
type load_policy_exec_t, file_type, exec_type;
#
# Rules
#domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
#############################################
domain_auto_trans(secadm_t, load_policy_exec_t, load_policy_t)
############################################
# for running it from an init script
domain_auto_trans(initrc_t, load_policy_exec_t, load_policy_t)
allow load_policy_t init_t:fd use;
allow load_policy_t console_device_t:chr_file { read write };
role system_r types load_policy_t;
ifdef(`dpkg.te', `
domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t)
')
# Reload the policy configuration (sysadm_t no longer has this ability)
can_loadpol(load_policy_t)
###########################################
allow load_policy_t locale_t:file { read getattr };
allow load_policy_t locale_t:dir { search };
allow load_policy_t secadm_tty_device_t:chr_file { read write };
##########################################
# constrain from where load_policy can load a policy, specifically
# policy_config_t files
#
# only allow read of policy config files
allow load_policy_t policy_config_t:dir r_dir_perms;
allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
# directory search permissions for path to binary policy files
allow load_policy_t root_t:dir search;
allow load_policy_t etc_t:dir search;
# Read the devpts root directory (needed?)
allow load_policy_t devpts_t:dir r_dir_perms;
# Other access
allow load_policy_t { initrc_devpts_t admin_tty_type }:chr_file { read write ioctl getattr };
uses_shlib(load_policy_t)
allow load_policy_t self:capability dac_override;
allow load_policy_t { initrc_t privfd }:fd use;
allow load_policy_t fs_t:filesystem getattr;
#allow load_policy_t sysadm_tmp_t:file { getattr write } ;
allow load_policy_t secadm_tmp_t:file { getattr write };
-------------------------------------------------------
But I still can't run 'make reload'or 'make relabel'.The same errors are there:
-------------------------------------------------------
/usr/sbin/load_policy /etc/security/selinux/policy.15-mls
/usr/sbin/load_policy: security_load_policy failed
make: *** [reload] Error 3
----------------------------------------------------------------------------------------
How should I modify the load_policy.te? The error message is too simple to figure out the direct reason.Should I need to modify some other files? I think perhaps secadm lacks some rights. Secadm is created as a common user with fully access rights to /selinux/src/policy/. I have modified checkpolicy.te and load_policy.te in order to let secadm can checkpolicy and load it. But now secadm can only check the policy while can't load the policy.
Thanks!
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-11-12 16:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-11-11 20:29 questions about sysadm lky
2003-11-11 21:05 ` Russell Coker
2003-11-12 17:00 ` lky
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.