Re: RHEL 6 Confined Users Running Third-Party Services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

In a PaaS environment where service administrators are confined using RBACs on RHEL 6, how should third-party services be supported at scale?

Allowing a confined user to execute any arbitrary executable that transitions to system_r:unconfined_t would make breaking out of the user’s confinement trivial. In this way, executenotrans seems to be the best approach (assuming the service administrator role isn’t too restrictive), but on boot the default inirc_exec_t service script label would cause the service to run in the unconfined initrc_t domain, whereas if the service was started by the user it would be in the service administrator’s domain, leading to inconsistent application of policy.

The init_labeled_script_domtrans macro could be used to allow the service administrator role to use initrc_exec_t labelled service scripts, but that would allow service administrators to start/stop a number of managed system services. Furthermore, if the user started their service manually (ie. not via the service script), it too would lead to the same inconsistent application of policy as noted above.

These issues are resolved in RHEL 7 with the use of systemd?

Your thoughts would be much appreciated.

Thanks,
Doug
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux