On Wed, Aug 31, 2011 at 07:14:42PM +0100, Roy Badami wrote: > On 31/08/2011 18:48, Dominick Grift wrote: > >On Wed, Aug 31, 2011 at 06:01:15PM +0100, Roy Badami wrote: > >>I'm trying to understand the RBAC features in the version of the mls > >>(and also strict) policies that ship with CentOS 5.6 - I'm not sure > >>if this is the best place to ask or if there's a more appropriate > >>list. > >refpolicy@xxxxxxxxxxxxxx is more appropriate. > > Thanks - I'll bear that one in mind. > > > >When you build mls policy you get a seperate secadm role when you build strict policy then sysadm role also has the capabilities that secadm role in mls has. > > Yes, so looks like it does makes sense for me to use the mls policy > in that case. Unfortunately in the mls policy on el5 it appears > that both sysadm_r and secadm_r can both administer security. > secadm_r is preveneted from performing other systems administration, > but unfortunately sysadm_r is not prevented from changint the > selinux policy, etc. This wasn't how I was hoping it would work :-( > > > > >well whether the modules are installed (semodule -l | grep secadm) that i guess would be defined manually in the modules.conf for strict. if the secadm module is installed then it could be that the role is just not mapped to staff_u unless policy is mls ( see above: users file snippet) > Ah, I'd been trying to figure out how to verify what modules really > were present in the loaded binary policy - that's very useful, > thanks! As as your other pointers to bits of the policy. Well its just an indicator. Some ( core? ) modules are compiled in a single base module, which isnt listed in semodule -l. In a perfect world that would be only about 10 modules or so ( the ones in the kernel layer ) however people have been using the base module as a refuge to hide their broken policy ;) So most modules should be listed with semodule -l, only few arent listed because they are in base. Which modules exactly are in base is harder to tell. ( you could download the policy source rpm. extract it and look into the enclosed modules-mls.conf file. grep -i it for base. (example: kernel = base) > > Regards > > roy
Attachment:
pgp8zwGwGmE3k.pgp
Description: PGP signature
