• 1

confined system accounts?

Hello Dan. On a systemd-enabled machine what do you think is the appropriate role for the system accounts(postfix,mysql,apache etc)when one has disabled unconfineduser and unconfined domain? I am thinking user_r but can this identity/role(user_u/user_r) restart system services? Even though DAC rules forbid these accounts to access a shell, i think the best practice would be to confine them with selinux rbac to prevent even the slightest possibility for a privilege escalation.

Re: confined system accounts?

If you have a normal user on a machine, then I would run them with the user_u:user_r:user_t:s0-s0:c0.c1023 types. Normal user means someone who will never become an administrator. If I want someone to administrate some component of the machine I would log them in as staff_u:staff_r:staff_t:s0 and have them transition to a confined admin role through sudo like webadm_r. If I want to allow a user to be a full admin I would log them in as staff_u:staff_r:staff_t... And have them transition to sysadm_r:sysadmin_t through sudo.

If you want to have users with different capabilities on the same machine you could create additional user types like mywebadm_u which would login by default as staff_r and transition to webadm_r.

how can I add new role

Dear Dan,
I now SELinux have many default roles but if I wont create new role for example like package_admin in windows its possible?
How can I create new role in SELinux? I read some old tutorial about this topis but seedit doesnt work for me fedora 19. Its possible copy default role and just change some privilege?

Re: how can I add new role

You need to write policy to add a new role.

In Fedora and RHEL7 you can execute

# sepolicy generate --confined_admin -n package_admin

Then I would add a something like the following to my package_admin.te

rpm_run(package_admin_t, package_admin_r)

Re: how can I add new role

Thanks for your interesting about it
But if I create your comand
[root@localhost roles]# sepolicy generate --confined_admin -n package_admin
Created the following files:
/usr/share/selinux/devel/include/roles/package_admin.te # Type Enforcement file
/usr/share/selinux/devel/include/roles/package_admin.if # Interface file
/usr/share/selinux/devel/include/roles/package_admin.fc # File Contexts file
/usr/share/selinux/devel/include/roles/package_admin_selinux.spec # Spec file
/usr/share/selinux/devel/include/roles/package_admin.sh # Setup Script

And after I compile it with make -f I get a bug
[root@localhost roles]# make -f /usr/share/selinux/devel/Makefile
m4:/usr/share/selinux/devel/include/roles/package_admin.if:2: ERROR: end of file in comment
Compiling targeted package_admin module
/usr/bin/checkmodule: loading policy configuration from tmp/package_admin.tmp
package_admin.te":22:ERROR 'syntax error' at token 'domain_type' on line 3235:
#line 22
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/package_admin.mod] Error 1

Where can be a problem?
I wont try implement my owen role but I dont found a tutorial for RHEL 7 and creating new role I read your journal but I found implementation just for RHEL 5, and this not working for me :(

Re: how can I add new role

What policy are you using

rpm -q selinux-policy

domain_type interface should be defined in the /usr/share/selinux/devel/include/kernel/domain.if

It would probably be easier to carry on this conversation on email.


  • 1

Log in