staff_u permission

staff_u permission

[Steve Huston]

Apologies if this subject doesn't make sense, I'm not only fairly new
to selinux but also on Sudafed :>

I'm setting up a Puppet server, and will have a Mercurial repository
behind it; as a post-push hook I will have hg do a checkout of the
repo to /etc/puppet (after having done some sanity checks on the
changeset).  Right now, all the files in /etc/puppet are owned by root
with a group that I and another can access, and have the context
system_u:object_r:puppet_etc_t.

My user account is part of the staff_u context, and I would like to
tell selinux on this machine that anyone in that context should be
allowed to edit those files.  Looking through with "sesearch -A -t
puppet_etc_t -c file -p write" I see the puppet_t context allows such.
 What I do not know is how to configure a transition or what else I
could/should do to allow staff_u to write to just those files.  While
I'm sure I could use a larger hammer, I would like to be in the
practice of only allowing what should be allowed by default, and not a
larger amount of permission just because it's easier.

Can someone point me to the proper documentation for this?  If you
want to spell out the answer that's great too, provided you tell me
how you got it :>

-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'

Re: staff_u permission

[Daniel J Walsh]

On 05/05/2014 12:06 PM, Steve Huston wrote:
> Apologies if this subject doesn't make sense, I'm not only fairly new
> to selinux but also on Sudafed :>
>
> I'm setting up a Puppet server, and will have a Mercurial repository
> behind it; as a post-push hook I will have hg do a checkout of the
> repo to /etc/puppet (after having done some sanity checks on the
> changeset).  Right now, all the files in /etc/puppet are owned by root
> with a group that I and another can access, and have the context
> system_u:object_r:puppet_etc_t.
>
> My user account is part of the staff_u context, and I would like to
> tell selinux on this machine that anyone in that context should be
> allowed to edit those files.  Looking through with "sesearch -A -t
> puppet_etc_t -c file -p write" I see the puppet_t context allows such.
>  What I do not know is how to configure a transition or what else I
> could/should do to allow staff_u to write to just those files.  While
> I'm sure I could use a larger hammer, I would like to be in the
> practice of only allowing what should be allowed by default, and not a
> larger amount of permission just because it's easier.
>
> Can someone point me to the proper documentation for this?  If you
> want to spell out the answer that's great too, provided you tell me
> how you got it :>
>
First off, I hope you realize that you still need to allow DAC
permissions, meaning if users on the system were not allowed to edit
these files with SELinux in permissive mode or disabled, they still
would not be allowed to edit the files with SELinux in enforcing, no
matter the label.  You could add a group permissions to the /etc/puppet
directory and allow users in that group to write.  Another option would
be to allow the users to use sudo to get access to this directory.

If we want to leave the files labeled as puppet_etc_t, then simply
adding a custom policy like

# cat mystaff.te
policy_module(mystaff,1.0)
gen_require(`
type staff_t, puppet_etc_t;
')
manage_dirs_pattern(staff_t, puppet_etc_t, puppet_etc_t)
manage_files_pattern(staff_t, puppet_etc_t, puppet_etc_t)
manage_lnk_files_pattern(staff_t, puppet_etc_t, puppet_etc_t)

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mystaff.pp

Re: staff_u permission

[Steve Huston]

On Mon, May 5, 2014 at 12:47 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> First off, I hope you realize that you still need to allow DAC
> permissions, meaning if users on the system were not allowed to edit
> these files with SELinux in permissive mode or disabled, they still
> would not be allowed to edit the files with SELinux in enforcing, no
> matter the label.  You could add a group permissions to the /etc/puppet
> directory and allow users in that group to write.  Another option would
> be to allow the users to use sudo to get access to this directory.

I probably wasn't clear in my initial description; using standard Unix
groups is what I'd already done, so the next step was how to get
SELinux to know what I was doing is OK :>

> If we want to leave the files labeled as puppet_etc_t, then simply
> adding a custom policy like
>
> # cat mystaff.te
> policy_module(mystaff,1.0)
> gen_require(`
> type staff_t, puppet_etc_t;
> ')
> manage_dirs_pattern(staff_t, puppet_etc_t, puppet_etc_t)
> manage_files_pattern(staff_t, puppet_etc_t, puppet_etc_t)
> manage_lnk_files_pattern(staff_t, puppet_etc_t, puppet_etc_t)
>
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i mystaff.pp

Worked perfectly, thanks!

-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'