Hello SELinux Team,
As I am a beginner in deciphering the depths of SELinux I come to you with the following predicament in hope of guidance and help:
We are migrating an application from Solaris to Linux and the main user is allowed, through the use of RBAC roles, to run a few system commands like svccfg/svcadm (chkconfig on redhat).
Is it possible, using only SElinux (no sudo), to allow a normal user to run chkconfig off/on <service> (basically giving it the ability to add/remove services) ?(my ultimate goal would be to allow this user to run other "root-only" utilities as well). One of my concerns is that chkconfig might have some internal check for the uid of the calling user, ergo blocking this account from running the utility irrespective of my selinux policy, is my worry legitimate or am I imagining things ?
My approach was to try to create an SElinux user with a corresponding SElinux role that manages the app's domain/type and is allowed to transition to all other domains required to run chkconfig, tcpdump or any other system utility usually restricted to root access only. All my attempts so far have failed, so my second question would be where could I find good documentation that applies to this specific problem ?
Thank you for your support!
Best Regards,
Marcel
1. I assumed I would be able to allow a user the ability to run system utilities like tcpdump, chkconfig, etc. by using selinux (either by using domain transitions or applying a sysadm_u context to the user or ...)
Is that correct ?
2. I am not sure capabilities can do that, my understanding was that they work on a per file basis not per user.....
3. if the uid is checked by the utility I won't be able to workaround that by means of selinux, right ?
Regards,
Marcel
On 3 September 2012 23:41, Marcel Butucea <marcelbutucea@xxxxxxxxx> wrote:
