Hello SELinux Team,
As I am a beginner
in deciphering the depths of SELinux I come to you with the
following predicament in hope of guidance and help:
We are migrating an
application from Solaris to Linux and the main user is
allowed, through the use of RBAC roles, to run a few system
commands like svccfg/svcadm (chkconfig on redhat).
Is it possible,
using only SElinux (no sudo), to allow a normal user to run
chkconfig off/on <service> (basically giving it the
ability to add/remove services) ?(my ultimate goal would be
to allow this user to run other "root-only" utilities as
well). One of my concerns is that
chkconfig might have some internal check for the uid of the
calling user, ergo blocking this account from running the
utility irrespective of my selinux policy, is my worry
legitimate or am I imagining things ?
My approach was to
try to create an SElinux user with a corresponding SElinux
role that manages the app's domain/type and is allowed to
transition to all other domains required to run chkconfig,
tcpdump or any other system utility usually restricted to
root access only. All my attempts so far have failed, so my
second question would be where could I find good
documentation that applies to this specific problem ?
Thank you for your
support!
Best Regards,
Marcel
