MLS Not enforcing secadm and auditadm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I’m setting up a RHEL6 box with MLS and am having issues with it enforcing the use of roles. Secadm_r and auditadm_r are not required to run setenforce or semanage and no role is able to write in /etc/audit/ at all. The IRC channel seems to believe there is an issue with the ifndef(‘enable_mls’… not triggering.

 

[root@hatch ~]$ id -Z

staff_u:sysadm_r:sysadm_t:s0

 

[knelson6@hatch ~]$ ls -Z /usr/sbin/semanage

-rwxr-xr-x. root root system_u:object_r:semanage_exec_t:s0 /usr/sbin/semanage

 

[knelson6@hatch ~]$ sestatus

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   enforcing

Mode from config file:          enforcing

Policy version:                 24

Policy from config file:        mls

 

[root@hatch ~]# sesearch --allow -s sysadm_t -t semanage_exec_t -c file -p execute

Found 3 semantic av rules:

   allow sysadm_t application_exec_type : file { ioctl read getattr lock execute execute_no_trans open } ;

   allow sysadm_usertype application_exec_type : file { ioctl read getattr lock execute execute_no_trans open } ;

   allow sysadm_t semanage_exec_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute open } ;

 

[root@hatch ~]# sesearch -SCT --allow -s sysadm_t -t semanage_exec_t

Found 11 semantic av rules:

   allow sysadm_t application_exec_type : file { ioctl read getattr lock execute execute_no_trans open } ;

   allow sysadm_t file_type : filesystem getattr ;

   allow sysadm_usertype application_exec_type : file { ioctl read getattr lock execute execute_no_trans open } ;

   allow sysadm_usertype file_type : filesystem getattr ;

   allow sysadm_t semanage_exec_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute open } ;

   allow sysadm_t semanage_exec_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;

   allow sysadm_t semanage_exec_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;

   allow sysadm_t semanage_exec_t : chr_file { getattr relabelfrom relabelto } ;

   allow sysadm_t semanage_exec_t : blk_file { getattr relabelfrom relabelto } ;

   allow sysadm_t semanage_exec_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;

   allow sysadm_t semanage_exec_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;

 

Found 1 semantic te rules:

   type_transition sysadm_t semanage_exec_t : process semanage_t;

--

Kurt Nelson

GTRI-STL IT Coop

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux