REPOSTING WITH SOME FIXES
One of the problems I face, is trying to convince people to use new security products. They say, "Sure just don't break anything". The problem is I need Guinea pigs to find out what I break. In the case of confining the user, I have a problem. I believe this can be a big security step forward, but how do I get people to use it, if it is not fully tested out? How do I test it out without getting people to use it?
Now I have taken some involuntary test subjects like my wife, and set her up with a confined user account and worked with her to fix problems in xguest. I have also taken the Jonas Salk approach and tested on my self. I have been running as the staff_u user for the entire run of Rawhide since Fedora 8.
So I am now beginning to Beg co-workers to try it out. As people start to install Fedora 9, I want them to try out confined users. The simplest user for an engineer to try is staff_u with a transition to unconfined_t when you become root.
This is how I set this up.
First you need to modify the SELinux user record to allow it to reach the unconfined_r. You also want to allow it to reach the system_r since you might be restarting services which need to run as system_r. The command is a little ugly but follow along
# semanage user -m -R"staff_r unconfined_r system_r" staff_u
This tells the system to modify the staff_u user and allow it to reach the staff_r, unconfined_r and system_r roles.
Now we need to modify the login account to login as the staff_u SELinux user.
We can either change the default, so all users by default will login as the staff_u user.
# semanage login -m -s staff_u __default__
Or we can add a record just for my Linux user "dwalsh"
# semanage login -a -s staff_u -r s0-s0:c0.c1023 dwalsh
Finally I want to setup a sudo to allow me to transition from staff_t to unconfined_t when running commands using sudo.
Add a record like to following using visudo
dwalsh ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
Now logout and log back in and you should be running as staff_u:staff_r:staff_t,
Execute "sudo sh" and you should be running as staff_u:unconfined_r:unconfined_t.
One caveat for this environment is currently userhelper apps will not work (system-config-*) when executed from staff_t, But you can run them from the sudo root account.
What does this buy you? While running in staff_t you will not be allowed to run any setuid application that is not confined. So if somehow you were tricked into running a setuid app on your machine to become root, it will fail. You will automatically transition to nsplugin so your firefox will have confinement. The ONLY way to become root/unconfined_t is through sudo, which is a well studied application. If you run attempt to run su, you will be denied.
So do I have any volunteers????
I am fixing a typo in the command above sorry about reposting.
Also if you want to reverse the changes listed above
You could execute
semanage login -d dwalsh
Will remove the record and put dwalsh back to the default.
# semanage login -m -s unconfined_u __default__
Would set the default logins to be unconfined_u (the default)
Dan Walsh's Blog
- I need Guinea pigs...