Re: role infrastructure

Re: role infrastructure

[Daniel J Walsh]

Bringing this out for full discussion.

Christopher J. PeBenito wrote:
> Dan, can you give me a run down of:
>
> 1. how you want to be able to configure user roles
> 2. things that fc/rhel users request for user role customization
>   
Good question I think this is more a brain storming exercise, which I 
don't necessarily have the knowledge or
experience to answer.

What I have heard is for Sarbanes Oxley, groups want to be allowed to 
have administrators that can get root privs in order to
configure certain facets of the system, but not full control.

So you could imagine a webadmin, nameserveradmin, dhcpadmin as 
examples.  Then I believe they would like to use
dominance in some way to group them.  netadmin = { nameserveradmin 
dhcpadmin }.

My idea is that we give these administrators full control over the types 
defined for these domains, and allow them to use all of the
standard tools for configuring (vi, emacs, basically anything labeled 
bin_t.)

To make this useful in a Targeted policy system, we might do something 
to sudo to get a transition to happen.

So dwalsh can run a root shell but only in the webadm_r  unconfined_t 
would transition to webadm_r.

Thoughts?

Dan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: role infrastructure

[Christopher J. PeBenito]

On Tue, 2006-07-11 at 09:37 -0400, Daniel J Walsh wrote:
> Bringing this out for full discussion.
> 
> Christopher J. PeBenito wrote:
> > Dan, can you give me a run down of:
> >
> > 1. how you want to be able to configure user roles
> > 2. things that fc/rhel users request for user role customization
> >   
> Good question I think this is more a brain storming exercise, which I 
> don't necessarily have the knowledge or
> experience to answer.
> 
> What I have heard is for Sarbanes Oxley, groups want to be allowed to 
> have administrators that can get root privs in order to
> configure certain facets of the system, but not full control.
> 
> So you could imagine a webadmin, nameserveradmin, dhcpadmin as 
> examples.  Then I believe they would like to use
> dominance in some way to group them.  netadmin = { nameserveradmin 
> dhcpadmin }.
> 
> My idea is that we give these administrators full control over the types 
> defined for these domains, and allow them to use all of the
> standard tools for configuring (vi, emacs, basically anything labeled 
> bin_t.)
> 
> To make this useful in a Targeted policy system, we might do something 
> to sudo to get a transition to happen.
> 
> So dwalsh can run a root shell but only in the webadm_r  unconfined_t 
> would transition to webadm_r.

So this looks like the main goal of these examples is finer-grained
admin users, which makes sense.  What I'd like to do is go one step
farther and make it possible to compose the roles more easily, making it
possible to have unprivileged users that have less access than the
current user_t.  If you look at the userdomain.if in the role-infra
branch, you can see that I started to break down the user domains into
logical blocks so they can be more easily composed.  Note, the names on
these templates are just temporary, and will be changed in the future.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: role infrastructure

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Tue, 2006-07-11 at 09:37 -0400, Daniel J Walsh wrote:
>   
>> Bringing this out for full discussion.
>>
>> Christopher J. PeBenito wrote:
>>     
>>> Dan, can you give me a run down of:
>>>
>>> 1. how you want to be able to configure user roles
>>> 2. things that fc/rhel users request for user role customization
>>>   
>>>       
>> Good question I think this is more a brain storming exercise, which I 
>> don't necessarily have the knowledge or
>> experience to answer.
>>
>> What I have heard is for Sarbanes Oxley, groups want to be allowed to 
>> have administrators that can get root privs in order to
>> configure certain facets of the system, but not full control.
>>
>> So you could imagine a webadmin, nameserveradmin, dhcpadmin as 
>> examples.  Then I believe they would like to use
>> dominance in some way to group them.  netadmin = { nameserveradmin 
>> dhcpadmin }.
>>
>> My idea is that we give these administrators full control over the types 
>> defined for these domains, and allow them to use all of the
>> standard tools for configuring (vi, emacs, basically anything labeled 
>> bin_t.)
>>
>> To make this useful in a Targeted policy system, we might do something 
>> to sudo to get a transition to happen.
>>
>> So dwalsh can run a root shell but only in the webadm_r  unconfined_t 
>> would transition to webadm_r.
>>     
>
> So this looks like the main goal of these examples is finer-grained
> admin users, which makes sense. 
exactly
>  What I'd like to do is go one step
> farther and make it possible to compose the roles more easily, making it
> possible to have unprivileged users that have less access than the
> current user_t.  
I agree. 

I would like to get to the point where in targeted policy we could allow 
people to turn on mozilla/thunderbird
policy via a boolean.  So someone building a kiosk could run a locked 
down version of thunderbird without requiring
the pain of strict policy.  But I digress.
> If you look at the userdomain.if in the role-infra
> branch, you can see that I started to break down the user domains into
> logical blocks so they can be more easily composed.  Note, the names on
> these templates are just temporary, and will be changed in the future.
>
>   

Yes that is a step in the right direction.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.