Previous Entry Share Next Entry
Roles Based Access Control (RBAC)
Sorry about not writing for a while, got wrapped up in work.

Roles Based Access Control with SELinux.

One of the underused features of SELinux is Roles Based Access Control (RBAC). In targeted policy RBAC is not really used. Everything pretty much runs in the same role (system_r).

The idea of SELinux RBAC is to define a role say auditadm_r which defines all the applications/files that a user in the role can run/manage. A user would log in as one of the default user roles and then when they wanted to administrate the audit programs they would have to change their roles. There is a newrole command for doing this. So a user might login in with the staff_r. The user would have to execute newrole -r auditadm_r, the tool will verify the role change is being done by a human being by prompting for the users password. At this point he would be allowed to execute all programs that can be run by the auditadm_r and would loose the ability to execute programs allowed to be run by staff_r. newrole also changes the Type of the running process. By convention the type matches the role so he would now be running in a shell of auditadm_r:auditadm_t. newrole is also the tool used to change the "Sensitivity Level" or MLS Level of the shell. One confusing part of changing the role is that you are also confined by the type, so files that you create will be relative to your type and role. And you will not necessarily have access to files in your home directory if the new role/type is not allowed access.

Remember SELinux is a parallel universe to DAC Controls. So if you needed to run applications as root, you will still need to use su or sudo to get around DAC Permissions.

In strict Policy we have defined the following roles

user_r which is the least powerful user. They can do everything a user can but do not have access to the administrators role.

staff_r which is very similar to user_r, except that staff_r can become other roles.

sysadm_r which is basically the administrator of the system role.

system_r which is the role of applications started by the system as opposed to applications started by a particular user or sysadm.

In MLS Policy we subdivide the sysadm_r role by adding:

auditadm_r which is allowed to control the auditing subsystem. He is allowed to change the audit rules and monitor the audit logs. He is not allowed to execute most SELinux utilities.

secadm_r who is allowed to run all of the selinux utilities. Change booleans, setenforce mode, load_policy, etc. He is not allowed to install software or do other administrative stuff.

sysadm_r has these priviledges removed.

MLS use of RBAC goal is not necessarily to stop a malicious admin from getting around these controls, but more to make them understand the role and stop them from making mistakes. For example, since the secadm_r can turn off enforcing mode, he could turn it off and then be allowed to manage the machine.

One of the experiments I would like to look into, would be to define a type say of apacheadm_t, which then could be allowed to only manipulate the apache configuration files. It would be an interesting experiment to see if we could allow this admin to run all editors and coreutils as root but only able to edit /etc/httpd and /var/www/html.

One problem with doing this blog is that sometimes I run out of ideas of what to talk about. (Writers Block). So please email me <> with ideas of what you would like me to talk about.

  • 1
Solve a common problem every week with a thorough and complete work through_

* You have a shared box on which untrusted users host websites, run cron jobs, and run perl scripts, perhaps even run shell scrits (i.e. a typical web hosting scenario) - how do you prevent:
* users reading each other's files (or writing..)
* users viewing each others processes
* users determining a list of customers or available websites


apache mod_rsbac :P

Re: easy

Interesting, but it's pretty much unknown, which is why an article is needed.
Also - it doesn't look like it covers the other points - perl scripts, cron jobs, etc.

Re: easy

everything is covered by rsbac.
mod_rsbac simply provide a way for apache to label it's subprocesses (=give them a role id+name) so that you can define which types this/these roles have access to.
being perl, php, cron, anything, will work.

I'm currently trying to set up a bindadm user akin to your hypothetical apacheadm_t. I'm running FC6 with the strict policy; do I understand from your post that I can only set up such a user if I use the mls policy, or is there a way for me to shoehorn it into strict? Mainly the problem I'm currently running into is that I can't seem to get sshd to transition into the bindadm_u:bindadm_r:bindadm_t:s0 context when the bindadm user logs in.

Note that I've only recently started hacking on this, and the last two weeks I've spent googling and reading docs (a lot of which are frustratingly out-of-date as they reference FC2), so I accept that it's entirely possible that I'm missing something completely obvious here. Seems like it'd be a good one-off for this blog, though - how to set up a new user context from scratch.

You do not want to login directly to bindadm_t

RBAC works with both MLS and Strict policy

I think it would be easier to setup a user with both staff_r and bindadm_r and then login as staff_t and newrole to bindadm_r.

Musica per qualcuno mente

Musica per tutti

Buy cheap cialis


Re: Buy cheap cialis

BUT YOU CAN ALSO READ ABOUT cialis and viagra at beuriful expressions Go fuck Cialis (

Greetings, add me please in friends. =)

I need help

a design is just in a theme I got to you from a search engine through a site
< a href= >free lesbian web cam </a> polazil for you on the site of all klastno but it is necessary to go

Great Money Making Oppurtunity

Great Multi-level marketing opportunity

The cost to start uip is $200 only, then you have to get 2 others to sign up and thats it!
Watch your returns pile u. Watch the video to see how the system works. If you cannot afford $200, I am sorry but you will miss out

Great work


Great work


Com/newlz/ The cost to start up is only, then you have to get 2 others to sign up and thats it. Watch your returns pile u.

Great work


hello everyone yo yo 123abcdd

hey there awesome site!
hey hey hey
this is me and me only yo yo


Good design, who make it?

good stuff

cheap cialis (

cheap cialis generic (

cheap cialis tablet (

cheap cialis tablets (

cheap cialis viagra (

cheap generic cialis (

cheap viagra cialis (

chore relationship sex (

ciaalis (

ciagra (

ciails (

is that a thong?

[url=]is that a thong?[/url]
[url=]white shorts[/url]
[url=]coors light[/url]
[url=]koqui halter[/url]
[url=]group sI007[/url]
[url=]group sI002[/url]
[url=]Dolce and Gabana[/url]
[url=]camera occulta[/url]
[url=]cheer camp[/url]
[url=]tennis babe[/url]
[url=]cheer practice[/url]
[url=]404 secrets[/url]
[url=]alenka bikar 2005[/url]
[url=]Olympic Trials Stats 2004[/url]
[url=]ballroom dance camp 2003[/url]

The best thing about The SpiderWeb Marketing System must be that it`s sooo EASY..I just follow the step by step video tutorials, and I was set up in now time.

The second best thing must be that it dosen`t cost me anything. I just bought a domain, and tried it for free 7 days....That is worth a try....

And last but not least: You really dont have to be any good on computers....This was the first time I did something like that, and I was a bit skeptic. But The SpiderWeb System guided my trough every little step.

This is a great way to earn some more money. I have a job as an auxiliary-nurse, and is working full time. I also am a single mother. My daughter is 15 years old, so it`s always great with some extra money. And I doesn`t have to go out of the hose to earn more money. The SpiderWeb System does almost all of the work for me. That is just fantastic.

You can find out more about this opportunity by visiting The SpiderWeb Marketing System, or by sending me an e-mail.

  • 1

Log in

No account? Create an account