selinux January 2011 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: SELinux role separation

Re: SELinux role separation

From: Qwyjibo Jones <qwyjibojones_at_nospam>
Date: Thu Jan 20 2011 - 17:05:26 GMT
To: Daniel J Walsh <dwalsh@redhat.com>

Okay,

We aren't using any desktop right now. this system is a headless server.

As for how important... Well if you ask me, (the sysadmin), I would say not
very. But alas it is not up to me. I will have to get the customer (Govt) to
tell me how much they need this. Perhaps I can get them to wait until 6.1
comes out since they are thinking of a hardware refresh anyhow.

My current policy skills are probably insufficient to the task of making the
policy you described. I can use audit2allow pretty well tho... :)

Thanks,

On Thu, Jan 20, 2011 at 9:23 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/20/2011 08:45 AM, Qwyjibo Jones wrote:
> > Sorry, one more question...
> >
> > Does the MLS policy shipped with RHEL 6 have the separation?
> >
> > Thanks,
> >
> > On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@redhat.com
> > <mailto:dwalsh@redhat.com>> wrote:
> >
> > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote:
> >> I don't seem to have the "allow_sysadm_manage_security" boolean. Do I
> >> need to create it somehow and put it under /selinux/booleans ?
> >
> >> # getsebool -a | grep allow_sysadm_manage_security
> >> # getsebool -a | grep allow_sysadm
> >> # getsebool -a | grep sysadm
> >> allow_httpd_sysadm_script_anon_write --> off
> >> ssh_sysadm_login --> off
> >> staff_read_sysadm_file --> off
> >> xdm_sysadm_login --> off
> >
> >
> >
> >> Thanks,
> >
> >> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@redhat.com
> > <mailto:dwalsh@redhat.com>
> >> <mailto:dwalsh@redhat.com <mailto:dwalsh@redhat.com>>> wrote:
> >
> >> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote:
> >
> >>> I am currently working with an Itanium2 system which has RHEL 5.3 MLS
> >>> installed.
> >>> I am trying to understand how separation of roles works in
> > SELinux/MLS
> >>> policy version 21. We have been told that we need to separate
> >> roles that
> >>> the sys admin is no longer allowed to do.
> >
> >>> After reading through these threads, in the archives I am still
> >>> wondering about a couple things:
> >
> >
> >
> >
> http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082
> >
> >>> And this one:
> >
> >
> >
> http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml
> >
> >>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following
> >>> separation of sysadm_r and secadm_r roles:
> >
> >>> a) Can the secadm_r role be the only role that can assign
> > roles via
> >>> semanage?
> >
> >>> c) Can the secadm_r role be the only role that can control
> >> files used
> >>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc...
> >
> >> auditadm_r:auditadm_t is only allowed to modify these files.
> >
> >>> 2) Is this better accomplished with a combination of SUDO and
> > SELinux?
> >> Since sysadm_t can hack his way around the SELinux controls via tools
> >> like rpm and fdisk, you are better off using sudo to further restrict
> >> his actions, if possible.
> >>> 3) How can I determine what secadm_r can do in the current
> >>> configuration? can any of the CLI tools show me that? ( no gui tools
> >>> available )
> >
> >> You probably want to look at secadm_t
> >
> >> sesearch -A -t secadm_t
> >
> >>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to
> >>> Itanium systems, but we may have new hardware soon)
> >
> >>> Any tips. hints, pointers etc... would be very helpfull.
> >
> >>> Thanks for your time,
> >
> > Oops I misread the policy, I guess we abandoned the separation.
> >
> >
> > ifdef(`enable_mls',`
> >
> > userdom_security_administrator(secadm_t,secadm_r,{
> > secadm_tty_device_t sysadm_devpts_t })
> > # tunable_policy(`allow_sysadm_manage_security',`
> >
> > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
> > # ')
> >
> >
> > Missed the "#" at the beginning of the lines. So I don't think we
> > prevent sysadm_t from managing the security, of course he has to be able
> > to run at SystemHigh.
> >
> One idea would be to build the separation into a separate module
> sysadm_secadm.pp then you could disable this module and take away the
> power of sysadm to do security administration. How important is this?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk04RWcACgkQrlYvE4MpobNgkwCgrpfXVA3VACrLFueZjW6V5Gko
> YRsAoJsGGp76ODNFPSIhpl24h4D5KA6A
> =Ae9m
> -----END PGP SIGNATURE-----
>

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.