(2010/04/08 21:15), Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> As Dominick stated. I prefer to think in terms of two different roles.
> Login Roles, and Roles to execute in when you have privileges (IE Root).
>
> Login Roles/Types
> staff_t, user_t, unconfined_t, xguest_t, guest_t
>
> Three interfaces can be used to create confined login users.
>
> userdom_restricted_user_template(guest)
> userdom_restricted_xwindows_user_template(xguest)
> userdom_unpriv_user_template(staff)
>
>
> Admin Roles/Types
> logadm_t, webadm_t, secadm_t, auditadm_t
>
> The following interface can be used to create an Admin ROle
> userdom_base_user_template(logadm)
>
>
> sysadm_t is sort of a hybrid, most people use it as an Admin Role.
>
>
> I imagine that you login as a confined user and then use sudo/newrole to
> switch roles to one of the admin roles.
The attached patch revises roles/dbadm.te (to be applied on the upstream
reference policy). It uses userdom_base_user_template() instead of the
userdom_unpriv_user_template(), and should be launched via sudo/newrole.
In the default, it intends the dbadm_r role to be launched by staff_r role.
What I did)
[root@saba ~]# semodule -i ~kaigai/repo/refpolicy/policy/modules/roles/dbadm.pp
[root@saba ~]# semanage user -m -P user -r s0-s0:c0.c1023 -R "dbadm_r staff_r system_r" ymj_u
[root@saba ~]# semanage login -a -s ymj_u ymj
[root@saba ~]# echo "ymj ALL=(ALL) TYPE=dbadm_t ROLE=dbadm_r NOPASSWD:/sbin/service" >> /etc/sudoers
[root@saba ~]# cp /etc/selinux/targeted/contexts/users/staff_u \
/etc/selinux/targeted/contexts/users/ymj_u
[root@saba ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
webadm_u user s0 s0 webadm_r
xguest_u user s0 s0 xguest_r
ymj_u user s0 s0-s0:c0.c1023 dbadm_r staff_r system_r
[root@saba ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
ymj ymj_u s0
[root@saba ~]# ssh ymj@localhost
ymj@localhost's password:
Last login: Fri Apr 9 13:59:32 2010 from localhost
[ymj@saba ~]$ id -Z
ymj_u:staff_r:staff_t:s0
[ymj@saba ~]$ sudo service sepostgresql restart
Stopping sepostgresql service: [ OK ]
Starting sepostgresql service: [ OK ]
[ymj@saba ~]$ ps -AZ | grep sepostgres
ymj_u:system_r:postgresql_t:s0 1171 ? 00:00:01 sepostgres
ymj_u:system_r:postgresql_t:s0 1176 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1177 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1178 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1179 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1180 ? 00:00:00 sepostgres
[ymj@saba ~]$ newrole -r dbadm_r -t dbadm_t
Password:
[ymj@saba ~]$ psql postgres
psql (8.4.3, server 9.0alpha5)
WARNING: psql version 8.4, server version 9.0.
Some psql features might not work.
Type "help" for help.
postgres=> SELECT sepgsql_getcon();
sepgsql_getcon
--------------------------
ymj_u:dbadm_r:dbadm_t:s0
(1 row)
postgres=> CREATE TABLE my_table (a int, b text);
CREATE TABLE
postgres=> SELECT * FROM my_table;
ERROR: SELinux: security policy violation
> Of course you are free to design your own system creating fully login
> admin roles. Or creating addinitional non admin user roles.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZPjtHNqI5Jf3UHRs
> Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd
> =q1nL
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
--
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 055eda8..40e9827 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -1,33 +1,66 @@
-policy_module(dbadm, 1.0.0)
+policy_module(dbadm, 2.0.0)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow dbadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow dbadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_read_user_files, false)
+
role dbadm_r;
-userdom_unpriv_user_template(dbadm)
+userdom_base_user_template(dbadm)
########################################
#
# database admin local policy
#
-optional_policy(`
- mysql_admin(dbadm_t, dbadm_r)
+allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+
+files_dontaudit_search_all_dirs(dbadm_t)
+files_manage_generic_locks(dbadm_t)
+files_list_var(dbadm_t)
+
+selinux_get_enforce_mode(dbadm_t)
+seutil_domtrans_setfiles(dbadm_t)
+
+logging_send_syslog_msg(dbadm_t)
+
+userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+tunable_policy(`dbadm_manage_user_files',`
+ userdom_manage_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
+ userdom_write_user_tmp_files(dbadm_t)
+')
+
+tunable_policy(`dbadm_read_user_files',`
+ userdom_read_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
')
optional_policy(`
- postgresql_admin(dbadm_t, dbadm_r)
+ mysql_admin(dbadm_t, dbadm_r)
')
-# For starting up daemon processes
optional_policy(`
- su_role_template(dbadm, dbadm_r, dbadm_t)
+ postgresql_admin(dbadm_t, dbadm_r)
')
optional_policy(`
- sudo_role_template(dbadm, dbadm_r, dbadm_t)
+ staff_role_change_to(dbadm_r)
')
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
