Re: [PATCH 1/5] adding seadmin support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 07, 2013 at 06:37:58PM +0100, Dominick Grift wrote:
> On Thu, 2013-11-07 at 13:21 -0200, Leonidas Da Silva Barbosa wrote:
> > Signed-off-by: Leonidas Da Silva Barbosa <leosilva@xxxxxxxxxxxxxxxxxx>
> 
> I am not for this solution but for the sake of argument you will find
> enclosed in-line some comments.
> 
Grift, thanks for your comments.  

> The idea is nice, but a admin could script this up in a heartbeat
>
I agree, but the idea is make this more visible. Today we know we have
admin role, but to reach that some steps are need. Put into in a tool give
some highlight to the use of admin roles and user admins IMHO.

> > ---
> >  policycoreutils/sepolicy/sepolicy/seadmin.py | 83 ++++++++++++++++++++++++++++
> >  1 file changed, 83 insertions(+)
> >  create mode 100644 policycoreutils/sepolicy/sepolicy/seadmin.py
> > 
> > diff --git a/policycoreutils/sepolicy/sepolicy/seadmin.py b/policycoreutils/sepolicy/sepolicy/seadmin.py
> > new file mode 100644
> > index 0000000..96cab8a
> > --- /dev/null
> > +++ b/policycoreutils/sepolicy/sepolicy/seadmin.py
> > @@ -0,0 +1,83 @@
> > +#! /usr/bin/python -Es
> > +
> > +import os
> > +import sys
> > +import selinux
> > +import seobject
> > +import sepolicy
> > +
> > +from shutil import copy2
> > +from os import chmod as set_permissions
> > +from selinux import selinux_user_contexts_path, selinux_policy_root
> > +
> > +# PATH to staff_u that will be base to new users created.
> > +STAFF_U = "staff_u"
> 
> this is very generic and inflexible in my opinion. I would probably have
> implemented a configuration file where admin can set
> "default_admin_selinux_identity=", and additionally a
> admin_selinux_identity option to override the default
> 
The idea was really to have only staff as start point, once staff_r is
already a isolate domain.  
> hard coding this to staff_u is asking for problems in my view
> 
> because lets say you want to create two admins webadm, and mailadm. If
> you use staff_u id for both then you have a problem. because staff_u is
> then associated with both the webadm_r, as well as the mailadm_r role
> 
> So how are you going to specify then that joe is associated with webadm.
> and jane is associated with mailadm?
This work via sudo and also via link between LOGIN and the create
SELInux admin user. So, Joe can transit to webadm from
staff_u:staff_r:staff_t, to se_webadm_u:webadm_r:webadm_t.
I'm not sure if it was your point, please, let me know more about your
thoughts on that.

> 
> > +COMMON_PATH = selinux_user_contexts_path()
> > +
> > +# These are constants used to create SEADM user to an Isolate Admin environment.
> > +SELEVEL = "s0"
> > +PREFIX = "user"
> > +SERANGE = "s0-s0:c0.c1023"
> 
> not sure about level, and range. I would probably implement this in a
> config file as well (just like above with default_admin_login_identity)
> and i would probably use SystemLow for default level, and
> SystemLow-SystemHigh for default range because if i am correct that
> might be expanded properly, even if you have the mls policy model loaded
> 
Seems reasonable to have a config file to this.
> hardcoding this in the way you do is asking for problem in my view
> 
> > +
> > +SUDOERS_PATH = "/etc/sudoers.d/"
> > +SUDOERS_ENTRY = "\n%s ALL=(ALL) ROLE=%s TYPE=%s %s"
> 
> I would probably deal with the ALL=(ALL) better
> by default it should probably be $HOSTNAME=(root), maybe that could be
> implemented in a config file as well, and then a option to override the
> defaults. ALL=(ALL) is a bit too generic in my view
> 

Yes, I agree, I just did not want have one more config file into selinux
stuffs. But, seems reasonable.


Thanks!


> > +
> > +# Initialize adm roles list.
> > +ADM_ROLES = [adm_r for adm_r in sepolicy.get_all_roles() if (adm_r[:-2]).
> > +             endswith('adm')]
> > +# Initialize a dictionary of se_adm_users with adm_role as key.
> > +ADM_USERS = {key: 'se_'+key[:-2]+'_u' for key in ADM_ROLES}
> > +
> > +__user = seobject.seluserRecords()
> > +__link = seobject.loginRecords()
> > +
> > +
> > +def create_user(adm_role, login, user=None):
> > +    import pwd
> > +    try:
> > +        pwd.getpwnam(login)
> > +    except KeyError:
> > +        print("User/Login %s doesn't exist" % login)
> > +        sys.exit(1)
> > +
> > +    if adm_role in ADM_ROLES:
> > +        seadm_user = ADM_USERS[adm_role] if not user else user
> > +        roles = "staff_r {role1} {role2}".format(role1=adm_role,
> > +                role2="system_r" if adm_role == "sysadm_r" else "")
> > +
> > +        if not seadm_user in sepolicy.get_all_users():
> > +            __user.add(seadm_user, roles.split(), SELEVEL,
> > +                       SERANGE, PREFIX)
> > +            copy2(COMMON_PATH+STAFF_U, COMMON_PATH+seadm_user)
> > +    else:
> > +        print("%s is not an ADM_ROLE" % adm_role)
> > +        sys.exit(1)
> > +
> > +
> > +def modify_user(seadm_user, roles):
> > +    if seadm_user in sepolicy.get_all_users():
> > +        __user.modify(seadm_user, roles.split(), SELEVEL,
> > +                      SERANGE, PREFIX)
> > +    else:
> > +        print("SELinux user not found")
> > +        sys.exit(1)
> > +
> > +# sepolicy admin -d -user se_auditadm_u -login leosilva
> > +def delete_user(seadm_user, login):
> > +    if seadm_user in sepolicy.get_all_users():
> > +        __link.delete(login)
> > +        __user.delete(seadm_user)
> > +    
> > +    else:
> > +        print("SELinux user not found")
> > +
> > +
> > +def create_link(adm_role, login, commands, user=None):
> > +    seadm_user = ADM_USERS[adm_role] if not user else user
> > +    adm_domain = adm_role.replace("_r", "_t")
> > +
> > +    __link.add(login, seadm_user, SERANGE)
> > +    with open(SUDOERS_PATH+login, 'a') as f:
> > +        f.write(SUDOERS_ENTRY % (login, adm_role, adm_domain, commands))
> > +
> > +    set_permissions(SUDOERS_PATH+login, 0440)
> 
> 

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux