-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: > I don't seem to have the "allow_sysadm_manage_security" boolean. Do I > need to create it somehow and put it under /selinux/booleans ? > > # getsebool -a | grep allow_sysadm_manage_security > # getsebool -a | grep allow_sysadm > # getsebool -a | grep sysadm > allow_httpd_sysadm_script_anon_write --> off > ssh_sysadm_login --> off > staff_read_sysadm_file --> off > xdm_sysadm_login --> off > > > > Thanks, > > On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx > <mailto:dwalsh@xxxxxxxxxx>> wrote: > > On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > >> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >> installed. >> I am trying to understand how separation of roles works in SELinux/MLS >> policy version 21. We have been told that we need to separate > roles that >> the sys admin is no longer allowed to do. > >> After reading through these threads, in the archives I am still >> wondering about a couple things: > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > >> And this one: > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > >> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >> separation of sysadm_r and secadm_r roles: > >> a) Can the secadm_r role be the only role that can assign roles via >> semanage? > >> c) Can the secadm_r role be the only role that can control > files used >> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > > auditadm_r:auditadm_t is only allowed to modify these files. > >> 2) Is this better accomplished with a combination of SUDO and SELinux? > Since sysadm_t can hack his way around the SELinux controls via tools > like rpm and fdisk, you are better off using sudo to further restrict > his actions, if possible. >> 3) How can I determine what secadm_r can do in the current >> configuration? can any of the CLI tools show me that? ( no gui tools >> available ) > > You probably want to look at secadm_t > > sesearch -A -t secadm_t > >> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >> Itanium systems, but we may have new hardware soon) > >> Any tips. hints, pointers etc... would be very helpfull. > >> Thanks for your time, > Oops I misread the policy, I guess we abandoned the separation. ifdef(`enable_mls',` userdom_security_administrator(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) # tunable_policy(`allow_sysadm_manage_security',` userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) # ') Missed the "#" at the beginning of the lines. So I don't think we prevent sysadm_t from managing the security, of course he has to be able to run at SystemHigh. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk03XOYACgkQrlYvE4MpobNWvACeO1Q8Rioee4mA8jHSUKWyDFkI hHgAn2hf4+hRA36bn2urfI3ezlKNK/+O =h3mZ -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
