danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Difference between a Confined User (staff_u) and a Confined Administrator.
danwalsh
Confined users have been around for a while, and several people have used them.  I use the staff_u user for my logins.

staff_u:staff_r:staff_t:s0-s0:c0.c1023

One common mistake people make when they use confined users is they expect them to work when running as root.

Which of course the don't!!!  They are CONFINED.

The idea of a confined user is to control the access is available to a logged in user.  If the user needs to do administrative tasks as root, he needs to become a Confined Administrator.

This means if you are logged in as a confined user SELinux will prevent you from running most programs that will make you root including "su".

In SELinux we have the concept of a process transition.  When we use confined users we like to transition the Confined User process to a Confined Administrator when the process needs to run as root.    Another way to look at this is Roles Based Access Control (RBAC).  Which means that when I log into a machine I have one Role, but if I want to administrate the machine I need to switch to a different Role.

In SELinux we currently have two different ways to change Roles, or to switch from a Confined User to a Confined Administrator.

  1. newrole - This command can be executed by a user and will request to the SELinux Kernel to change its role, if allowed by policy.  The problem with this tool is you still need to change to root, via su or sudo.

  2. sudo - We allow you to change both your SELinux Role/Type in sudo as well as become root.

In my case I run my login as staff_u:staff_r:staff_t:s0-s0:c0.c1023, and when I execute a command through sudo, sudo transitions my process to staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.  If you want to run with a slightly confined administrator you could setup a transition to staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023, which I like to call the drunken unconfined_t, it can do everything unconfined_t can do, but stumbles around alot.

We also have a few other confined administrators like:

  1. webadm_t, which can only administrate apache types.

  2. dbadm_t which can administrate types associated with mysql and postgresql.

  3. logadm_t which can administrate types associated with syslog and auditlog

  4. secadm_t which can only administrate SELinux controls

  5. auditadm_t which can only administrate the audit subsystem.

It is fairly easy to add additional confined administrator types using sepolicy/sepolgen.

To configure an Confined User/Confined Administrator pair, you need to do a few steps.

Note: You could skip the first two steps and just use staff_u

Step 1:  Create a Brand New SELinux User Definition confined_u

# semanage user -a -r s0-s0:c0.c1023 -R "staff_r unconfined_r webadm_r sysadm_r system_r" confined_u

Note: I added roles staff_r which will be the role of the confined user when he logs in.  The other roles are potential roles that the user will use when he is an administrator.  Only one of these roles is required "unconfined_r webadm_r sysadm_r " but I added them all to give you options.  system_r is in there to allow you to restart system services.  You would not need this on a systemd system, or if you were going to user run_init.  But if you want to just use "service restart foobar" on a system V system like RHEL6 you need to have this role.

Step 2:  We need to setup the default context file to tell programs like sshd or xdm which one of the roles/types we would like to use by default.  We are simply going to copy the staff_u context file.  You could also use IPA to override this selection.

# cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/confined_u

Step 3: Now we want to configure our Linux Account to use the SELinux User
# semanage login -a -s confined_u -rs0:c0.c1023 dwalsh

Note: In stead of using a user name you could use a linux group like wheel, by specifying %wheel.  Also if you want to modify the default for all users that are not specified you could use the name __default__.

Step 4:  Now you need to configure sudo to transition your Confined User process to a Confined Administrator
You can either modify the /etc/sudoers file with a line like the following.

echo "%wheel    ALL=(ALL)  TYPE=unconfined_t ROLE=unconfined_r    ALL" >> /etc/sudoers

Or add a file to /etc/sudoers.d

echo "dwalsh   ALL=(ALL)  TYPE=webadm_t ROLE=webadm_r   /bin/sh " > /etc/sudoers.d/dwalsh

It would not hurt to relabel your homedir at this point.

# restorecon -R -v /home/dwalsh

Now if you were already logged in as you user account, you were probably running processes as unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, so you might want to reboot to make sure everything is cleaned up.

After reboot, when you login you should see your processes running as

> id -Z
confined_u:staff_r:staff_t:s0-s0:c0.c1023


Now you should not be allowed to run the su command (unless you newrole to an admin role), but if you execute

> sudo -i
# id -Z
confined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

confined system accounts?

George Karakou

2014-01-30 01:19 pm (UTC)

Hello Dan. On a systemd-enabled machine what do you think is the appropriate role for the system accounts(postfix,mysql,apache etc)when one has disabled unconfineduser and unconfined domain? I am thinking user_r but can this identity/role(user_u/user_r) restart system services? Even though DAC rules forbid these accounts to access a shell, i think the best practice would be to confine them with selinux rbac to prevent even the slightest possibility for a privilege escalation.

Re: confined system accounts?

danwalsh

2014-01-31 01:34 pm (UTC)

If you have a normal user on a machine, then I would run them with the user_u:user_r:user_t:s0-s0:c0.c1023 types. Normal user means someone who will never become an administrator. If I want someone to administrate some component of the machine I would log them in as staff_u:staff_r:staff_t:s0 and have them transition to a confined admin role through sudo like webadm_r. If I want to allow a user to be a full admin I would log them in as staff_u:staff_r:staff_t... And have them transition to sysadm_r:sysadmin_t through sudo.

If you want to have users with different capabilities on the same machine you could create additional user types like mywebadm_u which would login by default as staff_r and transition to webadm_r.

how can I add new role

Lubos Puskas

2014-03-30 11:41 am (UTC)

Dear Dan,
I now SELinux have many default roles but if I wont create new role for example like package_admin in windows its possible?
How can I create new role in SELinux? I read some old tutorial about this topis but seedit doesnt work for me fedora 19. Its possible copy default role and just change some privilege?
Thanks

Re: how can I add new role

danwalsh

2014-03-31 01:01 pm (UTC)

You need to write policy to add a new role.

In Fedora and RHEL7 you can execute

# sepolicy generate --confined_admin -n package_admin

Then I would add a something like the following to my package_admin.te

rpm_run(package_admin_t, package_admin_r)

Re: how can I add new role

Lubos Puskas

2014-03-31 09:47 pm (UTC)

Thanks for your interesting about it
But if I create your comand
____________________________________________________________________
[root@localhost roles]# sepolicy generate --confined_admin -n package_admin
Created the following files:
/usr/share/selinux/devel/include/roles/package_admin.te # Type Enforcement file
/usr/share/selinux/devel/include/roles/package_admin.if # Interface file
/usr/share/selinux/devel/include/roles/package_admin.fc # File Contexts file
/usr/share/selinux/devel/include/roles/package_admin_selinux.spec # Spec file
/usr/share/selinux/devel/include/roles/package_admin.sh # Setup Script
____________________________________________________________________


And after I compile it with make -f I get a bug
____________________________________________________________________
[root@localhost roles]# make -f /usr/share/selinux/devel/Makefile
m4:/usr/share/selinux/devel/include/roles/package_admin.if:2: ERROR: end of file in comment
Compiling targeted package_admin module
/usr/bin/checkmodule: loading policy configuration from tmp/package_admin.tmp
package_admin.te":22:ERROR 'syntax error' at token 'domain_type' on line 3235:
#line 22
domain_type(package_admin_t)
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/package_admin.mod] Error 1
____________________________________________________________________

Where can be a problem?
I wont try implement my owen role but I dont found a tutorial for RHEL 7 and creating new role I read your journal but I found implementation just for RHEL 5, and this not working for me :(

Re: how can I add new role

danwalsh

2014-04-01 12:39 pm (UTC)

What policy are you using

rpm -q selinux-policy

domain_type interface should be defined in the /usr/share/selinux/devel/include/kernel/domain.if
file

It would probably be easier to carry on this conversation on email.

dwalsh@redhat.com

You are viewing danwalsh