Re: [PATCH] selinux: policycoreutils: sepolicy: seisolate feature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 15, 2013 at 11:52:22AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 10/15/2013 09:49 AM, Leonidas S. Barbosa wrote:
> > 
> > This feature enable the user to create a SEuser adm based on SElinux adm
> > role and link a LOGIN against it (seisolate: Isolate admin), that way
> > complementing sepolicy adm roles create.
> > 
> > 
> Comments inside.
> 
> Also need a man page and an update to sepolicy_bash_completion.sh
> 
> > 
> > 
> > diff --git a/policycoreutils/sepolicy/sepolicy.py
> > b/policycoreutils/sepolicy/sepolicy.py index b25d3b2..0380604 100755 ---
> > a/policycoreutils/sepolicy/sepolicy.py +++
> > b/policycoreutils/sepolicy/sepolicy.py @@ -446,6 +446,27 @@ def
> > gen_generate_args(parser): help=_("Generate Policy for %s") %
> > poltype[XUSER]) pol.set_defaults(func=generate)
> > 
> > +# Will create a SElinux adm user or (as defined here) a Isolate adm. +def
> > isolateadm(args): +    from sepolicy  import seisolate + +    if
> > args.adminrole and args.login: +
> > seisolate.create_user(args.adminrole, args.login) +
> > seisolate.link(args.adminrole, args.login) + + +def
> > gen_isolateadm_args(parser): +    isoadm = parser.add_parser("isolateadm", 
> > +                               help=_("Create a link beteween LOGIN and
> > SEadm user"))
> No crazy about name.
> 
> sepolicy isolateadm
> 
> versus
> 
> sepolicy admin
> 
> Also not sure what the end goal of this is.  Do we want this command to be
> able to just create a mapping between an existing admin role and a login user?
>  Or should it be able to create a new admin rule and connect everything up?
> 
> sepolicy admin -l dwalsh -a dbadm_r dbadmin_u
> 
The final goal is to link and use the adm_roles created by sepolicy
via generate admin_user (and those adm roles already exists) with UNIX login. 
So sepolicy admin, create SElinux admin_user based on admin_role and link. 
Having any login acts as dbadm, logadm, etc.


Not sure if I understood, by a new admin rule  you mean a policy .te
module that defines this new one? 
> Currently you have
> 
> Do we want to allow Add/Modify/Delete?
> 
Yes.
> I think you should allow specification of the command that you will run as
> root.  Default to /bin/bash but allow user to override this.
> 
> sepolicy admin -e /bin/myscript -l dwalsh ...
> 
So, commands like chmod, to create a new sudoers.d/file and so on by a
extern command, is it? 

> > +    isoadm.add_argument("-a", "--adminrole", dest="adminrole", +
> > action="store", required=True, +                        help=_("Receive an
> > admin role name"))
> Should this be the primary key and not require a qualifier?  It might be
> better to use "-r" so I can get -a for add?
What you call a qualifier? 
-r seems ok for me.
> > +    isoadm.add_argument("-l", "--login", dest="login", +
> > action="store", required=True, +                        help=_("Receive a
> > LOGIN to create the SEadm user"))
> 
> > +    isoadm.set_defaults(func=isolateadm) + + if __name__ == '__main__': 
> > parser = argparse.ArgumentParser(description='SELinux Policy Inspection
> > Tool') subparsers = parser.add_subparsers(help=_("commands")) @@ -459,6
> > +480,7 @@ if __name__ == '__main__': gen_manpage_args(subparsers) 
> > gen_network_args(subparsers) gen_transition_args(subparsers) +
> > gen_isolateadm_args(subparsers)
> > 
> > try: args = parser.parse_args() diff --git
> > a/policycoreutils/sepolicy/sepolicy/seisolate.py
> > b/policycoreutils/sepolicy/sepolicy/seisolate.py index e69de29..f9be58a
> > 100644 --- a/policycoreutils/sepolicy/sepolicy/seisolate.py +++
> > b/policycoreutils/sepolicy/sepolicy/seisolate.py @@ -0,0 +1,62 @@ +#!
> > /usr/bin/python -Es + +import sys +import seobject +import sepolicy + +from
> > shutil import copy2 +from os import chmod as set_permissions + +# PATH to
> > staff_u that will be base to new users created. +STAFF_U = "staff_u" 
> > +COMMON_PATH = "/etc/selinux/targeted/contexts/users/" +
> You should get this from import.selinux  Do not want to hard code "targeted",
> so I can use your tool for other policies.
Thanks, fixed.
> > +# These are constants used to create SEADM user to a Isolate Admin
> > environment. +SELEVEL = "s0" +PREFIX = "user" +SERANGE = "s0-s0:c0.c1023" 
> > +
> Ditto.  We need a mechanism to get this from the policy. MLS max is
> s0-s15:c0.c1023
> 
> > +SUDOERS_PATH = "/etc/sudoers.d/" +SUDOERS_ENTRY = "%s ALL=(ALL) ROLE=%s
> > TYPE=%s ALL" +
> See command above.
> 
> SUDOERS_ENTRY = "%s ALL=(ALL) ROLE=%s TYPE=%s %s"
> 
> Default -e to be ALL
> > +# Initialize adm roles list. +ADM_ROLES = [adm_r for adm_r in
> > sepolicy.get_all_roles() if (adm_r[:-2]). +             endswith('adm')]
> We have got to get this into policy as an attribute.  Since this is by
> convention right now.
> 
Yep, that what I looked for and did not find another way to grab other
than that.

> > +# Initialize a dictionary of se_adm_users with adm_role as key. +ADM_USERS
> > = {key: 'se_'+key[:-2]+'_u' for key in ADM_ROLES} + +
>  print ADM_USERS
> {'auditadm_r': 'se_auditadm_u', 'logadm_r': 'se_logadm_u', 'webadm_r':
> 'se_webadm_u', 'sysadm_r': 'se_sysadm_u', 'secadm_r': 'se_secadm_u',
> 'dbadm_r': 'se_dbadm_u'}
> 
> Is this what you entended?
It was about have always an adm_role associate with its selinux_user, without
have to check get_user_list() all the time and string check to see if it already
exists.

> > +store = ""
> Should have this passed in from command line.
> > +__create_user = seobject.seluserRecords(store) +__create_link =
> > seobject.loginRecords(store) + + +def create_user(adm_role, login): +
> > import pwd +    try: +        pwd.getpwnam(login) +    except KeyError: +
> > print("User/Login %s doesn't exist" % login) +        sys.exit(1)
> Could do this check at the option parsing, but I guess it is alright here.
> > + +    seadm_user = ADM_USERS[adm_role] +    roles = "staff_r {role1}
> > {role2}".format(role1=adm_role, +            role2="system_r" if adm_role
> > == "sysadm_r" else "") + +    if not seadm_user in
> > sepolicy.get_all_users(): +        __create_user.add(seadm_user,
> > roles.split(), SELEVEL, +                          SERANGE, PREFIX) +
> > copy2(COMMON_PATH+STAFF_U, COMMON_PATH+seadm_user) + + +def
> > create_link(adm_role, login): +    seadm_user = ADM_USERS[adm_role] +
> > adm_domain = adm_role.replace("_r", "_t") + +    if seadm_user in
> > sepolicy.get_all_users(): +        __create_link.add(login, seadm_user,
> > SERANGE) + +        with open(SUDOERS_PATH+login, 'w') as f: +
> > f.write(SUDOERS_ENTRY % (login, adm_role, adm_domain))
> Shouldn't this be for append?   Or throw exception if it exists?
I believe just write and throw exception if it exists.
> > + +        set_permissions(SUDOERS_PATH+login, 0440)
> > 
> > 
> > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.15 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAlJdZLYACgkQrlYvE4MpobMqdACbBQTweM7v2xI4SV1ncZ72TKLJ
> xvQAn3Yesy7mRhj+FTQ5jniP6UR6xlzp
> =YXr3
> -----END PGP SIGNATURE-----
> 

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux