On Mon, Sep 03, 2012 at 11:41:14PM +0100, Marcel Butucea wrote: > Hello SELinux Team, > > As I am a beginner in deciphering the depths of SELinux I come to you with > the following predicament in hope of guidance and help: > > We are migrating an application from Solaris to Linux and the main user is > allowed, through the use of RBAC roles, to run a few system commands like > svccfg/svcadm (chkconfig on redhat). > > Is it possible, using only SElinux (no sudo), to allow a normal user to run > chkconfig off/on <service> (basically giving it the ability to add/remove > services) ?(my ultimate goal would be to allow this user to run other > "root-only" utilities as well). One of my concerns is that chkconfig might > have some internal check for the uid of the calling user, ergo blocking > this account from running the utility irrespective of my selinux policy, is > my worry legitimate or am I imagining things ? To clarify the question: You want a user (uid!=0) to perform operations on the system the require uid==0? In that case: SELinux is an independent addition to the traditional linux permissions (DAC). If DAC requires you to have uid==0, SELinux can't override that for you. In short: With SELinux you can only deny stuff that was allowed, not allow what was denied. > All my > attempts so far have failed, so my second question would be > where could I > find good documentation that applies to this specific problem ? The only real documentation I know of is the 'SELinux Notebook' by Richard Haines. It's a good reference. You might want to start there.
Attachment:
signature.asc
Description: Digital signature
