-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/03/2013 02:28 AM, Anamitra Dutta Majumdar (anmajumd) wrote: > We need to constrain a tomcat escalated root user from executing "useradd" > and "semanage" commands on RHEL6. > > Can we add a SELinux constraint policy to achieve the same? > > A tomcat escalated root user (I.e when a "tomcat" user escalates to the > "root" user on the system) has the following security context > > uid=0(*root*) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=system_u:system_r:*tomcatd_t*:SystemLow-SystemHigh > > The logic of this constraint should be be as follows.. > > If id="root" and source type="tomcatd_t" > > Then disallow domain transition to both "useradd_/exec_t" as well as > "semanage_/exec_t" > > 1. Is this something doable through an SELinux constrain policy. 2. If so > what should be the syntax of the policy. > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > This is a type enforcement issue not a constraint issue. tomcatd can be prevented from running useradd_t regardless of its UID, and more importantly should not be allowed to write /etc/passwd (etc_t) or /etc/shadow (shadow_t). No constraint needed to do this. Just don't allow t to write etc_t and shadow_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIl04QACgkQrlYvE4MpobPlFACfQLOx5tnOBAyVCgvocPUuzkgE viEAn1q6SZ9AWu+BtMEkIhKbpfNODg9W =X9Ks -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
