-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andy Warner wrote: > > > Andy Warner wrote: >> >> >> Justin Mattock wrote: >>> On Wed, Nov 5, 2008 at 7:33 AM, Andy Warner <warner@xxxxxxxxx> wrote: >>> >>>> I am using Fedora 9 with the MLS policy. I have been using it in >>>> permissive >>>> mode for a while (integrating SELinux with a DBMS and its objects) >>>> and now >>>> must do some work/testing in enforcing mode. As soon as I switch to >>>> enforcing mode I seem unable to perform any action which requires >>>> privilege. >>>> >>>> What is the anticipated method to shutdown/reboot the system and to >>>> toggle >>>> the enforcing mode while in MLS/Enforcing? What I assumed was to >>>> transition >>>> to an appropriate role (sysadm_r and secadm_r respectively) and then >>>> issue >>>> the corresponding command (shutdown and setenforce). This fails and I >>>> believe my difficulty is that in both cases I need to also be the >>>> linux root >>>> user. There does not seem to be an obvious way to execute a command >>>> as the >>>> lunux root user as neither su nor sudo seem available while in the >>>> sysadm_r >>>> and secadm_r roles. Executing something like seaudit while in the >>>> auditadm_r >>>> role fails to allow me to authenticate as root. Despite being the >>>> correct >>>> password it continuously loops asking for the password. >>>> >>>> As a related but less important question, in general, is it intended >>>> that a >>>> user initially have the staff_r role upon login and then transition >>>> to a >>>> more trusted role (i.e., secadm_r) using the newrole command? (as >>>> opposed to >>>> having the secadm_r upon login. >>>> >>>> Thanks for any help, >>>> >>>> Andy >>>> >>>> >>>> >>>> >>> >>> Not sure how red hat works, >>> but for me using ubuntu having to change roles >>> I first needed to collect all of the allow rules, i.g. >>> allow newrole_t staff_t:process etc... >>> then after after a reboot into enforce mode >>> using newrole -r works fine.(just haven't defined secadm_r yet). >>> As for toggling from enforce to permissive >>> using setenforce 0 or 1 >>> or echo 0/1 > /selinux/enforce. >>> >>> >>> >> I have no problem changing to a role while in enforcing mode, the >> problem is in performing the command. Here is what is happening (the >> following was executed while in enforcing mode): >> >> [staff@oak ~]$ id -Z >> staff_u:staff_r:staff_t:SystemLow:SystemLow-SystemHigh >> [staff@oak ~]$ newrole -r secadm_r >> Password: >> [staff@oak ~]$ id -Z >> staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh >> [staff@oak ~]$ ls -l /selinux/enforce >> -rw-r--r-- 1 root root 0 2008-11-05 17:08 /selinux/enforce >> [staff@oak ~]$ /usr/sbin/setenforce 1 >> /usr/sbin/setenforce: setenforce() failed >> [staff@oak ~]$ sudo /usr/sbin/setenforce 1 >> sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted >> [staff@oak ~]$ id >> uid=503(staff) gid=500(user) groups=500(user) >> context=staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh >> [staff@oak ~]$ >> >> As can be seen I can transition to the secadm_r without an issue. And, >> from the DAC modes of /selinux/enforce I would guess it requires linux >> root to be written. Also, I thought I read elsewhere that the secadm_r >> was configured so that it could not perform an su/sudo. Likewise, if I >> try to execute system-config-selinux as the secadm_r role, I am not >> permitted to authenticate as linux root user so I am not able to do >> anything. If selinux is in permissive mode everything works, as long >> as I su/sudo to root first. I have similar issues with the auditadm_r >> role. >> >> As for my previously mentioned issue with using sysadm_r to issue a >> shutdown command while in enforcing mode, I was mistaken and this is >> possible using sudo (not sure what I was thinking). It seems no MLS >> roles can use su, only staff_r and sysadm_r may use sudo. auditadm_r >> and secadm_r cannot use either and seem powerless without it. I am >> also unable to directly log in as root when in enforcing mode. >> >> Note that I am using the roles as they are configured in the MLS >> policy. If it is required to change or configure the roles to make >> them able do what it seems like they should be able to do, thats ok, >> but first I need to make sure I'm not just being boneheaded and using >> them in the wrong way or have bad expectations of what they should be >> able to do. > > Sorry to answer my own email, but just to button this up. I could not > log into my root account because of a conflict between the staff_t > (login process type) and the admin_home_t (root's home dir file type). > Any attempt to start a session for root during enforcing mode would die > as it could not access root's home directory. I am not exactly sure why > policy is this way, if I did something or the mls policy is that way by > default. So, I had to find another way to have linux root and > secadm_r/auditadm_r at the same time. The su and sudo commands are not > available from those roles. So, from the staff_r I had to start a shell > using sudo as: > sudo -s -r secadm_r > > This gave me a shell with the linux root user and the secadm_r role and > I was able to run things like system-config-selinux and setenforce > during enforcing mode. Same applies to auditadm_r. role. > You need to run sudo first to become root and then run newrole. sudo also has the ability to transition directly to sysadm_r My sudoes has the following lines in it from targeted policy. dwalsh ALL=(ALL) ROLE=webadm_r TYPE=webadm_t ALL dwalsh ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t /bin/su I am logged in as staff_r:staff_t. I would not advise logging directly in as root on an MLS machine, but it probably should be setup to login as sysadm_r, (Although I would prefer unconfined_r). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkR/esACgkQrlYvE4MpobN3agCgwKkY63w3+GN71srV7GuD9ciy 0PIAniCDIBsW7Dtp9H01OMH8hOk/MDRF =lixV -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
