sysadm_r for Staff Users

sysadm_r for Staff Users

[Alex Ackerman]

[-- Attachment #1: Type: text/plain, Size: 1293 bytes --]

Ok, this is probably mentioned somewhere already, but I have been unable
to have my standard user account effectively use the sysadm_r role.  A
simple example to illustrate.  My "ackerman" account is setup with a
default role of staff_r and a supplementary role of sysadm_r similar to
the jadmin user example in /src/policy/users. After reloading the
updated policy, relabeling the filesystem, and logging in as "ackerman",
I switch to the sysadm_r role using newrole. To test out my new found
powers, I try to update the system via yum. (yum update).  I get the
following error:

 

You need to be root to perform this command.

 

Any ideas? I'm also restricted from actually writing to a system config
file while in the sysadm_r role.  I was under the understanding that a
benefit of SELinux was the ability to move system administration to a
group of individuals rather than just have the root user as the sole
owner of the kingdom (and hence allow many folks access to the root
password).  Any ideas of further changes needed to the system to enable
this that I'm missing?  


Thanks!

Alex

 

The /etc/selinux/strict/src/policy/users file entry is:

 

user ackerman roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon',
`system_r') };

 

 


[-- Attachment #2: Type: text/html, Size: 3965 bytes --]

Re: sysadm_r for Staff Users

[Stephen Smalley]

On Wed, 2004-10-27 at 12:56, Alex Ackerman wrote:
> Ok, this is probably mentioned somewhere already, but I have been
> unable to have my standard user account effectively use the sysadm_r
> role.  A simple example to illustrate.  My “ackerman” account is setup
> with a default role of staff_r and a supplementary role of sysadm_r
> similar to the jadmin user example in /src/policy/users. After
> reloading the updated policy, relabeling the filesystem, and logging
> in as “ackerman”, I switch to the sysadm_r role using newrole. To test
> out my new found powers, I try to update the system via yum. (yum
> update).  I get the following error:

At present, SELinux is purely restrictive, i.e. it only denies accesses
that might otherwise be granted.  Hence, you must both be in sysadm_r
and have Linux uid 0 to perform administrative tasks.  In the pre-Fedora
(and still in other distros) SELinux, one would run newrole -r sysadm_r
and then run su to gain full administrative access, and su would not
change the SELinux user identity at all (so you would be
ackerman:sysadm_r:sysadm_t and uid 0 after doing so).  In the Fedora
SELinux, one can simply run su, since the Fedora su calls pam_selinux
and sets the SELinux security context as well as the Linux uid, so you
end up as root:sysadm_r:sysadm_t.  Note that staff_r can still serve a
purpose here; if you disable the user_canbe_sysadm tunable in the Fedora
policy, then only staff_r users will be able to use su to reach
sysadm_r; a user_r user will be unable to do so even if he knows the
root password.

While it would be possible to have SELinux authoritatively grant Linux
capabilities based on role/domain, doing so safely will require further
tightening of the policy configuration and further changes to userspace
(to not make hardcoded assumptions about uid 0).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: sysadm_r for Staff Users

[Richard Simpson]

[-- Attachment #1: Type: text/plain, Size: 1637 bytes --]

Alex-

Normal DAC restrictions are still in effect. You have to su to root (which
may also be restricted by your selinux policy).

Richard.

  -----Original Message-----
  From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]On
Behalf Of Alex Ackerman
  Sent: Wednesday, October 27, 2004 10:57 AM
  To: selinux@tycho.nsa.gov
  Subject: sysadm_r for Staff Users


  Ok, this is probably mentioned somewhere already, but I have been unable
to have my standard user account effectively use the sysadm_r role.  A
simple example to illustrate.  My "ackerman" account is setup with a default
role of staff_r and a supplementary role of sysadm_r similar to the jadmin
user example in /src/policy/users. After reloading the updated policy,
relabeling the filesystem, and logging in as "ackerman", I switch to the
sysadm_r role using newrole. To test out my new found powers, I try to
update the system via yum. (yum update).  I get the following error:



  You need to be root to perform this command.



  Any ideas? I'm also restricted from actually writing to a system config
file while in the sysadm_r role.  I was under the understanding that a
benefit of SELinux was the ability to move system administration to a group
of individuals rather than just have the root user as the sole owner of the
kingdom (and hence allow many folks access to the root password).  Any ideas
of further changes needed to the system to enable this that I'm missing?


  Thanks!

  Alex



  The /etc/selinux/strict/src/policy/users file entry is:



  user ackerman roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon',
`system_r') };






[-- Attachment #2: Type: text/html, Size: 5024 bytes --]