On 02/04/2010 05:49 AM, Dominick Grift wrote: > On 02/04/2010 11:22 AM, Leif Thuresson wrote: >> Is there a "recommended" way to setup access for privileged admin tasks with >> sudo? >> In Dominick Grift's blog article >> http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-seven-su-newrole.html >> the user assigned the webadm_r role gets a sudo access with match "ALL" >> so in this example you trust SELinux solely to protect the system from >> unauthorized access. >> Is this way you would normally do it on a production machine? >> If you make the sudoers rules more specific for the actual commands the >> admin user need to run >> you will gain some initial lock-down from sudo, but at the expense of the >> sudoers file >> requiring significantly more maintenance. >> Administrators generally like scripting to automate task, but by allowing a >> sub-admin to run a shell with uid=0 >> we are again left with only SELinux to prevent unauthorized access. >> Is the general feeling that SELinux in say fedora12 is mature enough so that >> we can trust that it will protect >> the system from unauthorized access if we allow sub-administrators to run >> scripts as uid=0 ? >> I see that support for capabilities on files has finally found its way into >> fedora12. It that something that is >> being used to achieve some sort of middle ground between the two >> alternatives I listed above? > I believe in security layers. So if all you want to allow an admin to do is restart the web server then setup seliunux rules for webadm_r:webadm_t and only allow the script to be run by sudo. This way if either the script or SELinux has a bug, you might still be protected. If the super admin currently uses sudo apps then he should continue, but instead of allow the less priv admin to run apps as unconfined_t I would confine them. > If you can achieve your goal with tighter sudo configuration, than by > all means use that. > > With regard to your other questions. I will be interested what others > opinions on this is. > >> /Leif >> >> >> >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
