Re: Best base policy to use

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks, this approach sounds pretty good to me.  On my last systems I used an audit_admin and sec_admin, in addition to a number of other roles. I looked VERY briefly at the mls policy, but I think it might be a little too much for what I want, which is basically requiring 3 different roles to manage a machine, and 3 additional roles to manage/use certain services.

semanage  makes persistent changes to a system, correct? I'm still uncertain of the best way to modify a module, or at least make one less permissive. would it be to remove or disable a module, get the source, modify it, rename it, and then import it over the old one? for example lets say I didn't want rpm_script_t to be able to transition into initrc_t, no matter what role it started as. Or, I don't want the sysadm_t to be able to do both run_init_t and rpm_t. Or am I completely in left field and not understanding the proper use of roles?

On Wed, Jul 6, 2011 at 1:09 AM, Dominick Grift <domg472@xxxxxxxxx> wrote:


On Tue, 2011-07-05 at 17:11 -0500, Jeremiah Jahn wrote:
> So I'm in the process of Upgrading my servers from RHEL5 to RHEL6. On my
> RHEL5 system I had to build the reference policy from scratch in order to
> prevent users from being able to  transition to init_t through initrc_t.
> Basically, I want systems that have to be rebooted in order to restart
> certain services, like auditd, or at least be able to split those duties
> into different roles. One role can edit a file or install something, but a
> different role must restart it. Because life the universe and everything
> goes through initrc_t, just about anything on the system running as root can
> mess with services. I'd like to highly limit things, and haven't  really
> looked at any new developments in selinux for about 4 years. What's the best
> way/place to start removing domain transitions and requiring additional
> roles.

Main difference between el5 and el6 policy is that el6 policy is a
hybrid policy of the old targeted and strict policy. (strict policy was
merged into targeted policy)

You  can now tune your policy to make it behave like the old strict
policy by removing or disabling the unconfined and unconfineduser
modules.

In Redhat policy only unconfined_t can transition directly to initrc.
Sysadm_t needs to use run_init to transition to initrc_t in the system_r
role.

el6 policy allows you to easily create new roles.

So what you could do in my view is, disable or remove both unconfined
and unconfineduser modules and then create your own roles, selinux user
identities and logins.

In that regard el6 policy has pretty much the same properties as current
reference policy.

> thanks,
> -jj-

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux