Previous Entry Share Next Entry
I need Guinea pigs...

One  of the problems I face, is trying to convince people to use new security products.   They say, "Sure just don't break anything".  The problem is I need Guinea pigs to find out what I break.  In the case of confining the user, I have a problem.  I believe this can be a big security step forward, but how do I get people to use it, if it is not fully tested out?  How do I test it out without getting people to use it?

Now I have taken some involuntary test subjects like my wife, and set her up with a confined user account and worked with her to fix problems in xguest.  I have also taken the Jonas Salk approach and tested on my self.  I have been running as the staff_u user for the entire run of Rawhide since Fedora 8.

So I am now beginning to Beg co-workers to try it out.  As people start to install Fedora 9, I want them to try out confined users.  The simplest user for an engineer to try is staff_u with a transition to unconfined_t when you become root.

This is how I set this up.

First you need to modify the SELinux user record to allow it to reach the unconfined_r.  You also want to allow it to reach the system_r since you might be restarting services which need to run as system_r.  The command is a little ugly but follow along

# semanage user -m -R"staff_r unconfined_r system_r" staff_u
This tells the system to modify the staff_u user and allow it to reach the staff_r, unconfined_r and system_r roles.

Now we need to modify the login account to login as the staff_u SELinux user.

We can either change the default, so all users by default will login as the staff_u user.

# semanage login -m -s staff_u __default__

Or we can add a record just for my Linux user "dwalsh"

# semanage login -a -s staff_u -r s0-s0:c0.c1023 dwalsh

Finally I want to setup a sudo to allow me to transition from staff_t to unconfined_t when running commands using sudo.

Add a record like to following using visudo

dwalsh  ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r   ALL

Now logout and log back in and you should be running as staff_u:staff_r:staff_t,

Execute "sudo sh" and you should be running as staff_u:unconfined_r:unconfined_t.

One caveat for this environment is currently userhelper apps will not work (system-config-*) when executed from staff_t,  But you can run them from the sudo root account.

What does this buy you?  While running in staff_t you will not be allowed to run any setuid application that is not confined.  So if somehow you were tricked into running a setuid app on your machine to become root, it will fail.  You will automatically transition to nsplugin so  your firefox will have confinement.  The ONLY way to become root/unconfined_t is through sudo, which is a well studied application.  If you run attempt to run su, you will be denied.

So do I have any volunteers????

I am fixing a typo in the command above sorry about reposting.

Also if you want to reverse the changes listed above

You could execute

semanage login -d dwalsh

Will remove the record and put dwalsh back to the default.

# semanage login -m -s unconfined_u __default__

Would set the default logins to be unconfined_u (the default)

Re: staff_r role privileges


2008-08-13 09:38 am (UTC)

Hi Dan,

I've created admin_u selinux user, with staff_r and sysadm_r roles assigned:

[root@xyz ~]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ user_u s0
admin admin_u s0
root root s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023

[root@xyz ~]# semanage user -l

Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles

admin_u staff s0 s0-s0:c0.c1023 sysadm_r staff_r
root sysadm s0 s0-s0:c0.c1023 system_r sysadm_r staff_r
staff_u staff s0 s0-s0:c0.c1023 staff_r
sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
user_u user s0 s0 user_r

I've set up sudoers as follows for admin user:-

ADMIN ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /sbin/reboot

Now when I issue reboot command:-

[admin@xyz ~]$ id -Z
[admin@xyz ~]$ sudo /sbin/reboot

A lot of avc message were generated. When I used audit2allow utility on these messages I got following "type-enforcement" file :-

module test 1.0;

require {
type sysadm_t;
type staff_t;
type sysadm_devpts_t;
type staff_devpts_t;
type staff_tty_device_t;
type tty_device_t;
type sysadm_tty_device_t;
type pam_var_run_t;
type usr_t;
type proc_t;
type kernel_t;
class process { siginh transition setexec noatsecure rlimitinh };
class capability { setuid sys_resource dac_override };
class key search;
class chr_file { relabelfrom relabelto getattr write };
class file { read getattr write create entrypoint unlink execute execute_no_trans };
class dir { write remove_name add_name search getattr };

#============= staff_t ==============
allow staff_t kernel_t:key search;
allow staff_t self:capability { setuid sys_resource dac_override };
allow staff_t staff_tty_device_t:chr_file { relabelfrom relabelto };
allow staff_t tty_device_t:chr_file { write getattr };
allow staff_t sysadm_tty_device_t:chr_file { relabelto relabelfrom getattr };
allow staff_t staff_devpts_t:chr_file { relabelto relabelfrom };
allow staff_t sysadm_devpts_t:chr_file { relabelto relabelfrom};
allow staff_t pam_var_run_t:dir { write remove_name add_name search getattr };
allow staff_t pam_var_run_t:file { write read create unlink };
allow staff_t self:process setexec;
allow staff_t sysadm_t:process { siginh rlimitinh transition noatsecure };

#============= sysadm_t ==============
allow sysadm_t sysadm_devpts_t:chr_file { relabelto relabelfrom };
allow sysadm_t usr_t:file { entrypoint execute execute_no_trans } ;

Still admin user is not able to reboot the machine. Following avc message keeps on coming:-

Aug 13 14:39:55 xyz kernel: audit(1218618595.898:5): avc: denied { transition } for pid=2058 comm="sudo" path="/usr/local/libexec/sesh" dev=hda9 ino=96888 scontext=admin_u:staff_r:staff_t:s0 tcontext=admin_u:sysadm_r:sysadm_t:s0 tclass=process

This avc is translated into :-

allow staff_t sysadm_t:process transition;

I've already allowed this in last line of "staff_t" rules in .te file above.

Is there something I'm missing???


No HTML allowed in subject


(will be screened)


Log in