On Wed, Nov 5, 2008 at 12:11 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andy Warner wrote: >> >> >> Andy Warner wrote: >>> >>> >>> Justin Mattock wrote: >>>> On Wed, Nov 5, 2008 at 7:33 AM, Andy Warner <warner@xxxxxxxxx> wrote: >>>> >>>>> I am using Fedora 9 with the MLS policy. I have been using it in >>>>> permissive >>>>> mode for a while (integrating SELinux with a DBMS and its objects) >>>>> and now >>>>> must do some work/testing in enforcing mode. As soon as I switch to >>>>> enforcing mode I seem unable to perform any action which requires >>>>> privilege. >>>>> >>>>> What is the anticipated method to shutdown/reboot the system and to >>>>> toggle >>>>> the enforcing mode while in MLS/Enforcing? What I assumed was to >>>>> transition >>>>> to an appropriate role (sysadm_r and secadm_r respectively) and then >>>>> issue >>>>> the corresponding command (shutdown and setenforce). This fails and I >>>>> believe my difficulty is that in both cases I need to also be the >>>>> linux root >>>>> user. There does not seem to be an obvious way to execute a command >>>>> as the >>>>> lunux root user as neither su nor sudo seem available while in the >>>>> sysadm_r >>>>> and secadm_r roles. Executing something like seaudit while in the >>>>> auditadm_r >>>>> role fails to allow me to authenticate as root. Despite being the >>>>> correct >>>>> password it continuously loops asking for the password. >>>>> >>>>> As a related but less important question, in general, is it intended >>>>> that a >>>>> user initially have the staff_r role upon login and then transition >>>>> to a >>>>> more trusted role (i.e., secadm_r) using the newrole command? (as >>>>> opposed to >>>>> having the secadm_r upon login. >>>>> >>>>> Thanks for any help, >>>>> >>>>> Andy >>>>> >>>>> >>>>> >>>>> >>>> >>>> Not sure how red hat works, >>>> but for me using ubuntu having to change roles >>>> I first needed to collect all of the allow rules, i.g. >>>> allow newrole_t staff_t:process etc... >>>> then after after a reboot into enforce mode >>>> using newrole -r works fine.(just haven't defined secadm_r yet). >>>> As for toggling from enforce to permissive >>>> using setenforce 0 or 1 >>>> or echo 0/1 > /selinux/enforce. >>>> >>>> >>>> >>> I have no problem changing to a role while in enforcing mode, the >>> problem is in performing the command. Here is what is happening (the >>> following was executed while in enforcing mode): >>> >>> [staff@oak ~]$ id -Z >>> staff_u:staff_r:staff_t:SystemLow:SystemLow-SystemHigh >>> [staff@oak ~]$ newrole -r secadm_r >>> Password: >>> [staff@oak ~]$ id -Z >>> staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh >>> [staff@oak ~]$ ls -l /selinux/enforce >>> -rw-r--r-- 1 root root 0 2008-11-05 17:08 /selinux/enforce >>> [staff@oak ~]$ /usr/sbin/setenforce 1 >>> /usr/sbin/setenforce: setenforce() failed >>> [staff@oak ~]$ sudo /usr/sbin/setenforce 1 >>> sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted >>> [staff@oak ~]$ id >>> uid=503(staff) gid=500(user) groups=500(user) >>> context=staff_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh >>> [staff@oak ~]$ >>> >>> As can be seen I can transition to the secadm_r without an issue. And, >>> from the DAC modes of /selinux/enforce I would guess it requires linux >>> root to be written. Also, I thought I read elsewhere that the secadm_r >>> was configured so that it could not perform an su/sudo. Likewise, if I >>> try to execute system-config-selinux as the secadm_r role, I am not >>> permitted to authenticate as linux root user so I am not able to do >>> anything. If selinux is in permissive mode everything works, as long >>> as I su/sudo to root first. I have similar issues with the auditadm_r >>> role. >>> >>> As for my previously mentioned issue with using sysadm_r to issue a >>> shutdown command while in enforcing mode, I was mistaken and this is >>> possible using sudo (not sure what I was thinking). It seems no MLS >>> roles can use su, only staff_r and sysadm_r may use sudo. auditadm_r >>> and secadm_r cannot use either and seem powerless without it. I am >>> also unable to directly log in as root when in enforcing mode. >>> >>> Note that I am using the roles as they are configured in the MLS >>> policy. If it is required to change or configure the roles to make >>> them able do what it seems like they should be able to do, thats ok, >>> but first I need to make sure I'm not just being boneheaded and using >>> them in the wrong way or have bad expectations of what they should be >>> able to do. >> >> Sorry to answer my own email, but just to button this up. I could not >> log into my root account because of a conflict between the staff_t >> (login process type) and the admin_home_t (root's home dir file type). >> Any attempt to start a session for root during enforcing mode would die >> as it could not access root's home directory. I am not exactly sure why >> policy is this way, if I did something or the mls policy is that way by >> default. So, I had to find another way to have linux root and >> secadm_r/auditadm_r at the same time. The su and sudo commands are not >> available from those roles. So, from the staff_r I had to start a shell >> using sudo as: >> sudo -s -r secadm_r >> >> This gave me a shell with the linux root user and the secadm_r role and >> I was able to run things like system-config-selinux and setenforce >> during enforcing mode. Same applies to auditadm_r. role. >> > You need to run sudo first to become root and then run newrole. > > sudo also has the ability to transition directly to sysadm_r > > My sudoes has the following lines in it from targeted policy. > > dwalsh ALL=(ALL) ROLE=webadm_r TYPE=webadm_t ALL > dwalsh ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t /bin/su > > I am logged in as staff_r:staff_t. > > I would not advise logging directly in as root on an MLS machine, but it > probably should be setup to login as sysadm_r, (Although I would prefer > unconfined_r). > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkkR/esACgkQrlYvE4MpobN3agCgwKkY63w3+GN71srV7GuD9ciy > 0PIAniCDIBsW7Dtp9H01OMH8hOk/MDRF > =lixV > -----END PGP SIGNATURE----- > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. > My setup here is aterm -e sudo su (in the fluxbox menu); then newrole -r staff_r(for network manager) probably not as safe, but since being for personal use, probably O.K. -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
