-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > > I am currently working with an Itanium2 system which has RHEL 5.3 MLS > installed. > I am trying to understand how separation of roles works in SELinux/MLS > policy version 21. We have been told that we need to separate roles that > the sys admin is no longer allowed to do. > > After reading through these threads, in the archives I am still > wondering about a couple things: > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > > And this one: > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > > 1) Is the RHEL 5.x MLS policy version 21 capable of the following > separation of sysadm_r and secadm_r roles: > > a) Can the secadm_r role be the only role that can assign roles via > semanage? > > b) Can the secadm_r role be the only role that can assign/modify > network interface labels via semanage? > secadm_r:secadm_t in MLS policy is only allowed to run semanage if the allow_sysadm_manage_security boolean is turned off. > c) Can the secadm_r role be the only role that can control files used > in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > auditadm_r:auditadm_t is only allowed to modify these files. > 2) Is this better accomplished with a combination of SUDO and SELinux? Since sysadm_t can hack his way around the SELinux controls via tools like rpm and fdisk, you are better off using sudo to further restrict his actions, if possible. > 3) How can I determine what secadm_r can do in the current > configuration? can any of the CLI tools show me that? ( no gui tools > available ) > You probably want to look at secadm_t sesearch -A -t secadm_t > If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to > Itanium systems, but we may have new hardware soon) > > Any tips. hints, pointers etc... would be very helpfull. > > Thanks for your time, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk03RYsACgkQrlYvE4MpobPxeQCfYZFtvY0/6oiB0kCUhZfy8NBe 1isAoI2+zCfveZJRpCxIxeu+XAvcjFcw =vT6y -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
