May 8th, 2006

Using RBAC In FC5/MLS Policy

Setting up an RBAC account in MLS is a multi step process.

By default all accounts on a MLS machine except for the root account, use the user_u SELinux user. The root account uses the root user. If you want to take advantage of the RBAC controls you need to do the following steps. For this example I will establish user dwalsh and allow him to be in the staff role and the auditor role.

First you want to setup a login account

# useradd dwalsh
# passwd dwalsh

MLS policy does not come with an SELinux audit user so we need to create one.

# semanage user -a -R staff_r -R auditadm_r -P staff audit_u

This command will create a new "SELinux" user named audit_u. This SELinux user has two roles staff_r and audit_r. I also setup the default user prefix to be staff. The default user prefix is used to label the users homedirs.

Now we want to setup a mapping between the Linux user "dwalsh" and the SELinux user "audit_u".

# semanage login -a -s audit -r SystemLow-SystemHigh dwalsh

Note, I have also setup the default range for dwalsh to be from SystemLow to SystemHigh. Since
audit runs as SystemHigh, I need to have this range.

Finally I need to relabel my homedir since I have changed the default prefix from user to staff.

# restorecon -R -v ~dwalsh

I should now be able to login to my account.

login: dwalsh
Password: xxxxxxx

> id -Z
audit:staff_r:staff_t:SystemLow-SystemHigh

> su
Password:


# newrole -r sysadm_r
Authenticating dwalsh.
Password:
audit:sysadm_r:sysadm_t:SystemLow-SystemHigh is not a valid context

# newrole -r auditadm_r -l SystemHigh
Authenticating dwalsh.
Password:

# id -Z
audit:auditadm_r:auditadm_t:SystemHigh

# /sbin/auditctl -l
LIST_RULES: entry,always syscall=setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
LIST_RULES: entry,always syscall=mknod
LIST_RULES: entry,always syscall=mount
LIST_RULES: entry,always syscall=settimeofday,adjtimex
LIST_RULES: exit,always watch=/var/log/audit (0xe) syscall=open,creat,link,unlink,chmod,lchown,rename,mkdir,rmdir,symlink,truncate,ftruncate,fchmod,fchown,chown
LIST_RULES: exit,always watch=/etc/auditd.conf (0x10) syscall=open,creat,link,unlink,chmod,lchown,rename,mkdir,rmdir,symlink,truncate,ftruncate,fchmod,fchown,chown
LIST_RULES: exit,always watch=/etc/audit.rules (0x10) syscall=open,creat,link,unlink,chmod,lchown,rename,mkdir,rmdir,symlink,truncate,ftruncate,fchmod,fchown,chown
LIST_RULES: exit,always watch=/usr/sbin/stunnel (0x11) syscall=open,creat,link,unlink,chmod,lchown,rename,mkdir,rmdir,symlink,truncate,ftruncate,fchmod,fchown,chown
LIST_RULES: exit,always watch=/var/spool/at (0xd) syscall=open,creat,link,unlink,chmod,lchown,rename,mkdir,rmdir,symlink,truncate,ftruncate,fchmod,fchown,chown
...