AW: WG: Adoption to Ref-Policy sysadm_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes, config/SELinux is in MLS mode. Currently running with my self compiled one.

 

I know that it is not possible to really stop such an admin, I want to make it more difficult to attack the system. It also shouldn’t be possible to change file contexts (from a special directory), but that would be the next step…

 

Do you have any hints where to search for those rules (discussed before) or why do they get generated even if I comment out the rules in sysadm.te?

 

I commented out the following entries in sysadm.te

 

#optional_policy(`

#       secadm_role_change(sysadm_r)

#')

 

#optional_policy(`

#       seutil_run_setfiles(sysadm_t, sysadm_r)

#       seutil_run_runinit(sysadm_t, sysadm_r)

#')

 

That are the most appropriate entries…

 

Thanks!

 

Von: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx]
Gesendet: Montag, 31. März 2014 20:19
An: Philipp; selinux@xxxxxxxxxxxxxxxxxxxxxxx
Betreff: Re: WG: Adoption to Ref-Policy sysadm_t

 

Yes that separation is more used in MLS Mdde. 

Is SELinux config files in MLS Mode.

But if you are trying to stop an evil admin, I believe you will not be able to get it done.  Removing sysadm privs is kind of difficult and backwards.  You really want to define what an admin can do, rather then can't.

On 03/31/2014 11:04 AM, Philipp wrote:

 

Already tried that, but then the user isn’t able to open e.g the /var/log/audit/audit.log. This is also mentioned in the sysadm_secadm.te file.

 

logging_manage_audit_log(sysadm_t)

logging_manage_audit_config(sysadm_t)

logging_run_auditctl(sysadm_t, sysadm_r)

logging_stream_connect_syslog(sysadm_t)

 

 

The user is still able to read/write SELinux config files…

 

Von: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx]
Gesendet: Montag, 31. März 2014 16:59
An: Philipp; selinux@xxxxxxxxxxxxxxxxxxxxxxx
Betreff: Re: Adoption to Ref-Policy sysadm_t

 

Does disabling sysadm_secadm package give you the separation you need.

semodule -d sysadm_secadm

On 03/31/2014 09:22 AM, Philipp wrote:

Hi all,

 

I am trying to adopt the reference policy in a way that the sysadm_t domain isn’t able to open SELinux configuration files or run any related binaries like semange. My approach was to edit the sysadm.te file and uncomment the related lines in there. Thus far, I haven’t found the right entries:

 

I looked up with sesearch for the following lines:

 

sesearch --all -s sysadm_t -t selinux_config_t |

 

Output:

 

allow sysadm_t non_security_file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;

   allow sysadm_t non_security_file_type : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;

   allow sysadm_t non_security_file_type : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;

   allow sysadm_t non_security_file_type : chr_file { getattr relabelfrom relabelto } ;

   allow sysadm_t non_security_file_type : blk_file { getattr relabelfrom relabelto } ;

   allow sysadm_t non_security_file_type : sock_file { getattr relabelfrom relabelto } ;

   allow sysadm_t non_security_file_type : fifo_file { getattr relabelfrom relabelto } ;

   allow sysadm_t file_type : filesystem getattr ;

   allow sysadm_usertype file_type : filesystem getattr ;

   allow sysadm_t selinux_config_t : dir { getattr search open } ;

   allow sysadm_usertype selinux_config_t : file { ioctl read getattr lock open } ;

   allow sysadm_usertype selinux_config_t : dir { ioctl read getattr lock search open } ;

   allow sysadm_usertype selinux_config_t : lnk_file { read getattr } ;

 

 

I thought that there must be some entries corresponding the last few lines, but as already mentioned I haven’t found any in the rpmbuild/SOURCES/serefpolicy-3.7.19/policy/modules/roles/sysadm* files.

 

What I am doing wrong or where do I have to change something?

 

Thank you in advance!




--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

 




--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

 

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux