I am currently working with an Itanium2 system which has RHEL 5.3 MLS installed.
I am trying to understand how separation of roles works in SELinux/MLS policy version 21. We have been told that we need to separate roles that the sys admin is no longer allowed to do.
After reading through these threads, in the archives I am still wondering about a couple things:
http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082And this one:
http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml
1) Is the RHEL 5.x MLS policy version 21 capable of the following separation of sysadm_r and secadm_r roles:
a) Can the secadm_r role be the only role that can assign roles via semanage?
b) Can the secadm_r role be the only role that can assign/modify network interface labels via semanage?
c) Can the secadm_r role be the only role that can control files
used in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd
etc...
2) Is this better accomplished with a combination of SUDO and SELinux?
3) How can I determine what secadm_r can do in the current
configuration? can any of the CLI tools show me that? ( no gui tools
available )
If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to Itanium systems, but we may have new hardware soon)
Any tips. hints, pointers etc... would be very helpfull.
Thanks for your time,
