-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 09/03/2012 05:41 PM, Marcel Butucea wrote: > Hello SELinux Team, > > As I am a beginner in deciphering the depths of SELinux I come to you > with the following predicament in hope of guidance and help: > > We are migrating an application from Solaris to Linux and the main user > is allowed, through the use of RBAC roles, to run a few system commands > like svccfg/svcadm (chkconfig on redhat). > > Is it possible, using only SElinux (no sudo), to allow a normal user to > run chkconfig off/on <service> (basically giving it the ability to > add/remove services) ?(my ultimate goal would be to allow this user to > run other "root-only" utilities as well). One of my concerns is that > chkconfig might have some internal check for the uid of the calling > user, ergo blocking this account from running the utility irrespective > of my selinux policy, is my worry legitimate or am I imagining things ? > > My approach was to try to create an SElinux user with a corresponding > SElinux role that manages the app's domain/type and is allowed to > transition to all other domains required to run chkconfig, tcpdump or > any other system utility usually restricted to root access only. All my > attempts so far have failed, so my second question would be where could > I find good documentation that applies to this specific problem ? > > Thank you for your support! > > Best Regards, > > Marcel > This seems like an issue better suited for sudo. Do you have a limitation of some sort which is ruling out the use of sudo ? - -- Larry Brower, CCNA Fedora Ambassador - North America Fedora Quality Assurance lbrower@xxxxxxxxxxxxxxxxx http://www.fedoraproject.org/ -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJQRTZsAAoJEPXCUD/44PWqUksQAMd9dApaqXxUKbS7EKMvtR7U RDLG5QbMThuJpywSWejraM5WWyG+7iTqaP90lIRtntZPuS1qkKH65oPJiDZw7tX0 rXoQ9oFMwZAHXbuhEHUJQykQKNnN5euVmv8261wz/wPyVEdNCRRipA4UFyOzg3oa DXAnlbWDKqoZ7t31ZwG5HKLEqwf9eSRATAT90Wx2FwvVznStukPvYtSfgiio6pYh qk77yr23nCGNgq4b6G+yb9JfKV/SNyOBPLUkF0hQrk0YYURovvRjKe980i7DFkn+ WMUc9gFtlGO0zklFOOAR+HhY5FZ3rc12qQhrWOGtKfNT5j1VuH4q/w0Nf+XZV4lo ZbdWL9yf7mNg7X1OnL4Gi5lL/q635FHGEnNrYi09kXAx/87dV511RrwCE9pNdMNe y4KVEQ6ugQv+w+5DIddnz0XpBWMMxPskZwaOLIovM/mN7vnTALkoOQUhAC2iQ0Df lQuudqqu2cL17Iy7abOC0B1Xqqwm2j9Hbl58Vw5l16LCzJxkHy+82upFIFjgpU05 5CzVccIVtWbnkNVWUw6HoiwrCY4N0N75KJ8zIqlP4DihwIAz20Tw7CBk2Ou47LO6 98lWpR2o4BmFBEWSWwSAjVUr7/jDQoAPNaFNnYR9myy0PPYod9NfRxsUh0uDUqg5 2ZGQPlldkQNCBIW8M29E =SRFw -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
