Re: [PATCH 1/5] adding seadmin support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2013-11-08 at 14:35 -0200, Leonidas Da Silva Barbosa wrote:
> On Fri, Nov 08, 2013 at 02:07:14PM +0100, Dominick Grift wrote:
> > On Fri, 2013-11-08 at 09:28 -0200, Leonidas Da Silva Barbosa wrote:
> > 
> > > 
> > > > The idea is nice, but a admin could script this up in a heartbeat
> > > >
> > > I agree, but the idea is make this more visible. Today we know we have
> > > admin role, but to reach that some steps are need. Put into in a tool give
> > > some highlight to the use of admin roles and user admins IMHO.
> > 
> > There are probably more effective way's to make it visible
> >
> 
> I can agree, but it's also about have a tool/supporting it. Anyway, I'm
> trying to understand if it is a good idea to keep with this efforts to
> support it or no. I still believe it a good aproach to support admin roles
> creation, also to implements an 'isolation admins' environment, but I'm
> totally open for thoughts and ideas about why don't put it or better
> approaches to put it.
> 

I wrote a simple bash script that creates SELinux confined admins.

I didnt bother to add any sanity checking or call commands with paths or
anything like that.

Was just playing:

> #!/bin/bash --
> 
> shopt -s -o nounset
> 
> declare -rx SCRIPT=${0##*/}
> 
> declare USER_PREFIX=""
> declare ROLE_PREFIX=""
> declare INTERFACE_PREFIX=""
> 
> declare SU=""
> declare SUDO=""
> declare GUI=""
> 
> interface_prefixes() {
>         grep -r "_admin',\`"  /usr/share/selinux/devel/include/ | \
>         awk -F "/" '{ print $8 }' | \
>         awk -F "\`" '{ print $2 }' | \
>         awk -F "_" '{ print $1 }' | sort
> }
> 
> # Expects a single parameter: user_prefix
> 
> user() {
>         cat > $1.te << EOF
> policy_module($1, 1.0.0)
> userdom_restricted_user_template($1)
> EOF
> }       
> 
> # Expects a single parameter: user_prefix
> 
> gui_user() {
>         cat > $1.te << EOF
> policy_module($1, 1.0.0)
> userdom_unpriv_user_template($1)
> EOF
> }       
> 
> # Expects a single parameter: user_prefix
> 
> sudo() {
>         cat >> $1.te <<EOF
> sudo_role_template($1, ${1}_r, ${1}_t)
> EOF
> }
> 
> # Expects single parameter: user_prefix
> 
> su() {
>         cat >> $1.te <<EOF
> su_role_template($1, ${1}_t, ${1}_r)
> seutils_run_newrole(${1}_t, ${1}_r)
> EOF
> }
> 
> # Expects two parameters: user_prefix, role_prefix
> 
> role() {
>         cat >> $1.te << EOF
> userdom_base_user_template($2)
> allow ${1}_r ${2}_r;    
> EOF
> }
> 
> # Expects two parameters: user_prefix, role_prefix
> 
> interface() {
>         cat >> $1.te << EOF
> optional_policy(\`
> ${interface}_admin(${2}_t, ${2}_r)
> ')
> EOF
> }
> 
> if [ $# -eq 0 ] ; then
>         printf "%s\n" "Type --help for help."
>         exit 192
> fi
> 
> while [ $# -gt 0 ] ; do
>     case "$1" in
>         -h | --help)
>             printf "%s\n" "$SCRIPT - Generate SELinux confined administrators"
>             printf "%s\n" ""
>             printf "%s\n" "-h | --help                                 Display this help message"
>             printf "%s\n" "-l | --list                                 List service interface prefixes"
>             printf "%s\n" "-r | --role [role_prefix]                   Role prefix"
>             printf "%s\n" "-u | --user [user_prefix]                   User prefix"
>             printf "%s\n" "-i | --interface [interface_prefix,(...)]   Service interface prefix"
>             printf "%s\n" ""
>             printf "%s\n" "--su                                        Enable SU for user"
>             printf "%s\n" "--sudo                                      Enable SUDO for user"
>             printf "%s\n" "--gui                                       User GUI support"
>             exit 0
>             ;;
>         -l | --list )
>             interface_prefixes
>             exit 0
>             ;;
>         -r | --role ) shift
>             if [ $# -eq 0 ] ; then
>                 printf "$SCRIPT:$LINENO: %s\n" "Role prefix is missing" >&2
>                 exit 192
>             fi
>             ROLE_PREFIX="$1"
>             ;;
>         -u | --user ) shift
>             if [ $# -eq 0 ] ; then
>                 printf "$SCRIPT:$LINENO: %s\n" "User prefix is missing" >&2
>                 exit 192
>             fi
>             USER_PREFIX="$1"
>             ;;
>         -i | --interface ) shift
>             if [ $# -eq 0 ] ; then
>                 printf "$SCRIPT:$LINENO: %s\n" "Interface prefix is missing" >&2
>                 exit 192
>             fi
>             INTERFACE_PREFIX="$1"
>             ;;
>         --su )
>             SU=SU
>             ;;
>         --sudo )
>             SUDO=SUDO
>             ;;
>         --gui )
>             GUI=GUI
>             ;;
>         -* ) printf "$SCRIPT:$LINENO: %s\n" "switch $1 not supported" >&2
>             exit 192
>             ;;
>         * ) printf "$SCRIPT:$LINENO: %s\n" "extra argument or missing switch" >&2
>             exit 192
>             ;;
>     esac
>     shift
> done
> 
> if [ -z "$ROLE_PREFIX" ] ; then
>         printf "%s\n" "Role prefix missing" >&2
>         exit 192
> fi
> 
> if [ -z "$USER_PREFIX" ] ; then
>         printf "%s\n" "User prefix missing" >&2
>         exit 192
> fi
> 
> if [ -z "$INTERFACE_PREFIX" ] ; then
>         printf "%s\n" "Interface prefix missing" >&2
>         exit 192
> fi
> 
> if [ ! -z "$USER_PREFIX" -a "$GUI" == "GUI" ] ; then
>         gui_user $USER_PREFIX
> elif [ ! -z "$USER_PREFIX" -a "$GUI" == "" ] ; then
>         user $USER_PREFIX
> else
>         echo "Unhandled exception"
>         exit 192;
> fi
> 
> if [ "$SUDO" == "SUDO" ] ; then
>         sudo $USER_PREFIX
> fi
> 
> if [ "$SU" == "SU" ] ; then
>         su $USER_PREFIX
> fi
> 
> if [ ! -z "$ROLE_PREFIX" ] ; then
>         role $USER_PREFIX $ROLE_PREFIX
> fi
> 
> if [ ! -z "$INTERFACE_PREFIX" ] ; then
> 
>         INTERFACE_PREFIX=$(echo $INTERFACE_PREFIX | sed s/,/" "/g)
> 
>         for interface in $INTERFACE_PREFIX; do
>                 interface_prefixes | grep $interface >/dev/null
> 
>                 if [ "$?" != 0 ] ; then
>                         printf "%s\n" "Interface prefix unavailable" ;
>                         rm -f $USER_PREFIX.te
>                         exit 192
>                 fi
>         done
> fi
> 
> for interface in $INTERFACE_PREFIX; do
>     interface $USER_PREFIX $ROLE_PREFIX
> done
> 
> cat >> ${USER_PREFIX}.te <<EOF
> gen_user(${USER_PREFIX}_u, user, ${USER_PREFIX}_r ${ROLE_PREFIX}_r, s0, s0 - mls_systemhigh, mcs_allcats)
> EOF
> 
> if [ ! -z "$USER_PREFIX" -a "$GUI" == "GUI" ] ; then
>     cat > ${USER_PREFIX}_u <<EOF
> ${USER_PREFIX}_r:${USER_PREFIX}_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> system_r:local_login_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> system_r:sshd_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> system_r:xdm_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> EOF
> elif [ ! -z "$USER_PREFIX" -a "$GUI" == "" ] ; then
>     cat > ${USER_PREFIX}_u <<EOF
> ${USER_PREFIX}_r:${USER_PREFIX}_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> system_r:local_login_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> system_r:sshd_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> EOF
> else
>         echo "Unhandled exception"
>         exit 192;
> fi
> 
> if [ "$SUDO" == "SUDO" ] ; then
>     cat >> ${USER_PREFIX}_u <<EOF
> ${USER_PREFIX}_r:${USER_PREFIX}_sudo_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> EOF
> fi
> 
> if [ "$SU" == "SU" ] ; then
>     cat >> ${USER_PREFIX}_u <<EOF
> ${USER_PREFIX}_r:${USER_PREFIX}_su_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> EOF
> fi
> 
> cat > ${USER_PREFIX}_setup.sh <<EOF
> #!/bin/bash --
> 
> if [ \$(whoami) ! = "root" ] ; then
> printf "%s\n" "This needs root"
> exit 192
> fi
> 
> printf "%s\n" "Compiling '${USER_PREFIX}.pp' from '${USER_PREFIX}.te'"
> make -f /usr/share/selinux/devel/Makefile ${USER_PREFIX}.pp
> 
> printf "%s\n" "Installing '${USER_PREFIX}.pp'"
> semodule -i ${USER_PREFIX}.pp
> 
> printf "%s\n" "Copying '${USER_PREFIX}_u' to '/etc/selinux/targeted/contexts/users/'"
> cp ${USER_PREFIX}_u /etc/selinux/targeted/contexts/users/
> 
> printf "%s\n" "Adding a new user called '$USER_PREFIX'"
> useradd $USER_PREFIX
> 
> printf "%s\n" "Associating '$USER_PREFIX' with '${USER_PREFIX}_u'"
> semanage login -a -s ${USER_PREFIX}_u -r s0 $USER_PREFIX
> 
> EOF
> 
> if [ "$SUDO" == "SUDO" ] ; then
>     cat >> ${USER_PREFIX}_setup.sh <<EOF
> printf "%s\n" "Setting up sudo for '$USER_PREFIX'"
> echo "$USER_PREFIX \$HOSTNAME=(root) ALL" > /etc/sudoers.d/$USER_PREFIX
> chmod 0440 /etc/sudoers.d/$USER_PREFIX
> 
> #EOF
> EOF
> fi
> 
> chmod +x ${USER_PREFIX}_setup.sh
> 
> cat > ${USER_PREFIX}_remove.sh <<EOF
> #!/bin/bash --
> 
> if [ \$(whoami) ! = "root" ] ; then
> printf "%s\n" "This needs root"
> exit 192
> fi
> 
> printf "%s\n" "Removing Association of '$USER_PREFIX' with '${USER_PREFIX}_u'"
> semanage login -d -s ${USER_PREFIX}_u -r s0 $USER_PREFIX
> 
> printf "%s\n" "Removing a new user called '$USER_PREFIX'"
> userdel -r $USER_PREFIX
> 
> printf "%s\n" "Uninstalling the '$USER_PREFIX' module"
> semodule -r $USER_PREFIX
> 
> printf "%s\n" "Removing '/etc/selinux/targeted/contexts/users/${USER_PREFIX}_u'"
> rm -f /etc/selinux/targeted/contexts/users/${USER_PREFIX}_u
> 
> EOF
> 
> if [ "$SUDO" == "SUDO" ] ; then
>     cat >> ${USER_PREFIX}_remove.sh <<EOF
> printf "%s\n" "Removing '/etc/sudoers.d/$USER_PREFIX'"
> rm -f /etc/sudoers.d/$USER_PREFIX
> 
> #EOF
> EOF
> fi
> 
> chmod +x ${USER_PREFIX}_remove.sh
> 
> #EOF

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux