Log in

No account? Create an account

Previous Entry Share Next Entry
Difference between a Confined User (staff_u) and a Confined Administrator.
Confined users have been around for a while, and several people have used them.  I use the staff_u user for my logins.


One common mistake people make when they use confined users is they expect them to work when running as root.

Which of course the don't!!!  They are CONFINED.

The idea of a confined user is to control the access is available to a logged in user.  If the user needs to do administrative tasks as root, he needs to become a Confined Administrator.

This means if you are logged in as a confined user SELinux will prevent you from running most programs that will make you root including "su".

In SELinux we have the concept of a process transition.  When we use confined users we like to transition the Confined User process to a Confined Administrator when the process needs to run as root.    Another way to look at this is Roles Based Access Control (RBAC).  Which means that when I log into a machine I have one Role, but if I want to administrate the machine I need to switch to a different Role.

In SELinux we currently have two different ways to change Roles, or to switch from a Confined User to a Confined Administrator.

  1. newrole - This command can be executed by a user and will request to the SELinux Kernel to change its role, if allowed by policy.  The problem with this tool is you still need to change to root, via su or sudo.

  2. sudo - We allow you to change both your SELinux Role/Type in sudo as well as become root.

In my case I run my login as staff_u:staff_r:staff_t:s0-s0:c0.c1023, and when I execute a command through sudo, sudo transitions my process to staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.  If you want to run with a slightly confined administrator you could setup a transition to staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023, which I like to call the drunken unconfined_t, it can do everything unconfined_t can do, but stumbles around alot.

We also have a few other confined administrators like:

  1. webadm_t, which can only administrate apache types.

  2. dbadm_t which can administrate types associated with mysql and postgresql.

  3. logadm_t which can administrate types associated with syslog and auditlog

  4. secadm_t which can only administrate SELinux controls

  5. auditadm_t which can only administrate the audit subsystem.

It is fairly easy to add additional confined administrator types using sepolicy/sepolgen.

To configure an Confined User/Confined Administrator pair, you need to do a few steps.

Note: You could skip the first two steps and just use staff_u

Step 1:  Create a Brand New SELinux User Definition confined_u

# semanage user -a -r s0-s0:c0.c1023 -R "staff_r unconfined_r webadm_r sysadm_r system_r" confined_u

Note: I added roles staff_r which will be the role of the confined user when he logs in.  The other roles are potential roles that the user will use when he is an administrator.  Only one of these roles is required "unconfined_r webadm_r sysadm_r " but I added them all to give you options.  system_r is in there to allow you to restart system services.  You would not need this on a systemd system, or if you were going to user run_init.  But if you want to just use "service restart foobar" on a system V system like RHEL6 you need to have this role.

Step 2:  We need to setup the default context file to tell programs like sshd or xdm which one of the roles/types we would like to use by default.  We are simply going to copy the staff_u context file.  You could also use IPA to override this selection.

# cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/confined_u

Step 3: Now we want to configure our Linux Account to use the SELinux User
# semanage login -a -s confined_u -rs0:c0.c1023 dwalsh

Note: In stead of using a user name you could use a linux group like wheel, by specifying %wheel.  Also if you want to modify the default for all users that are not specified you could use the name __default__.

Step 4:  Now you need to configure sudo to transition your Confined User process to a Confined Administrator
You can either modify the /etc/sudoers file with a line like the following.

echo "%wheel    ALL=(ALL)  TYPE=unconfined_t ROLE=unconfined_r    ALL" >> /etc/sudoers

Or add a file to /etc/sudoers.d

echo "dwalsh   ALL=(ALL)  TYPE=webadm_t ROLE=webadm_r   /bin/sh " > /etc/sudoers.d/dwalsh

It would not hurt to relabel your homedir at this point.

# restorecon -R -v /home/dwalsh

Now if you were already logged in as you user account, you were probably running processes as unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, so you might want to reboot to make sure everything is cleaned up.

After reboot, when you login you should see your processes running as

> id -Z

Now you should not be allowed to run the su command (unless you newrole to an admin role), but if you execute

> sudo -i
# id -Z

  • 1

confined system accounts?

Hello Dan. On a systemd-enabled machine what do you think is the appropriate role for the system accounts(postfix,mysql,apache etc)when one has disabled unconfineduser and unconfined domain? I am thinking user_r but can this identity/role(user_u/user_r) restart system services? Even though DAC rules forbid these accounts to access a shell, i think the best practice would be to confine them with selinux rbac to prevent even the slightest possibility for a privilege escalation.

Re: confined system accounts?

If you have a normal user on a machine, then I would run them with the user_u:user_r:user_t:s0-s0:c0.c1023 types. Normal user means someone who will never become an administrator. If I want someone to administrate some component of the machine I would log them in as staff_u:staff_r:staff_t:s0 and have them transition to a confined admin role through sudo like webadm_r. If I want to allow a user to be a full admin I would log them in as staff_u:staff_r:staff_t... And have them transition to sysadm_r:sysadmin_t through sudo.

If you want to have users with different capabilities on the same machine you could create additional user types like mywebadm_u which would login by default as staff_r and transition to webadm_r.

how can I add new role

Dear Dan,
I now SELinux have many default roles but if I wont create new role for example like package_admin in windows its possible?
How can I create new role in SELinux? I read some old tutorial about this topis but seedit doesnt work for me fedora 19. Its possible copy default role and just change some privilege?

Re: how can I add new role

You need to write policy to add a new role.

In Fedora and RHEL7 you can execute

# sepolicy generate --confined_admin -n package_admin

Then I would add a something like the following to my package_admin.te

rpm_run(package_admin_t, package_admin_r)

Re: how can I add new role

Thanks for your interesting about it
But if I create your comand
[root@localhost roles]# sepolicy generate --confined_admin -n package_admin
Created the following files:
/usr/share/selinux/devel/include/roles/package_admin.te # Type Enforcement file
/usr/share/selinux/devel/include/roles/package_admin.if # Interface file
/usr/share/selinux/devel/include/roles/package_admin.fc # File Contexts file
/usr/share/selinux/devel/include/roles/package_admin_selinux.spec # Spec file
/usr/share/selinux/devel/include/roles/package_admin.sh # Setup Script

And after I compile it with make -f I get a bug
[root@localhost roles]# make -f /usr/share/selinux/devel/Makefile
m4:/usr/share/selinux/devel/include/roles/package_admin.if:2: ERROR: end of file in comment
Compiling targeted package_admin module
/usr/bin/checkmodule: loading policy configuration from tmp/package_admin.tmp
package_admin.te":22:ERROR 'syntax error' at token 'domain_type' on line 3235:
#line 22
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/package_admin.mod] Error 1

Where can be a problem?
I wont try implement my owen role but I dont found a tutorial for RHEL 7 and creating new role I read your journal but I found implementation just for RHEL 5, and this not working for me :(

Re: how can I add new role

What policy are you using

rpm -q selinux-policy

domain_type interface should be defined in the /usr/share/selinux/devel/include/kernel/domain.if

It would probably be easier to carry on this conversation on email.


How to verify by sesearch command, the permissions (allow rules) of users for ex. user_u or roles staff_r?

Re: users-permissions

You would use seinfo -uUSER -x to see which roles an SELinux user can reach.

seinfo -uuser_u

Users: 1
FC26:~: seinfo -uuser_u -x

Users: 1
user user_u roles user_r level s0 range s0;
FC26:~: seinfo -ustaff_u -x

Users: 1
user staff_u roles { sysadm_r system_r unconfined_r staff_r } level s0 range s0 - s0:c0.c1023;

You would also use seinfo to see what types a particular role can get

seinfo -rROLE -x

seinfo -ruser_r -x

Roles: 1
role user_r types { abrt_helper_t alsa_home_t antivirus_home_t httpd_user_script_t auth_home_t chkpwd_t pam_timestamp_t updpwd_t utempter_t bluetooth_helper_t cdrecord_t chrome_sandbox_t chrome_sandbox_nacl_t chrome_sandbox_home_t container_home_t cronjob_t crontab_t cvs_home_t ddclient_t exim_t fetchmail_home_t fsadm_t git_session_t git_user_content_t data_home_t config_home_t cache_home_t gstreamer_home_t dbus_home_t icc_data_home_t gconf_home_t gconfd_t gnome_home_t gkeyringd_gnome_home_t gpg_t gpg_agent_t gpg_secret_t gpg_helper_t gpg_pinentry_t ipa_helper_t irc_t irc_home_t irc_tmp_t irssi_t irssi_home_t journalctl_t krb5_home_t kismet_home_t loadkeys_t local_login_home_t lpr_t mailman_mail_t mandb_home_t mount_t mozilla_home_t mozilla_plugin_t mozilla_plugin_config_t mpd_user_data_t mpd_home_t mplayer_home_t mail_home_t mail_home_rw_t user_mail_t mysqld_home_t namespace_init_t ping_t traceroute_t nscd_t obex_t oddjob_t oddjob_mkhomedir_t openshift_var_lib_t policykit_auth_t policykit_grant_t polipo_session_t polipo_config_home_t polipo_cache_home_t postfix_postdrop_t postfix_postqueue_t pppd_t procmail_home_t ptchown_t pulseaudio_t pulseaudio_home_t qmail_inject_t qmail_queue_t rlogind_home_t rssh_ro_t rssh_rw_t sandbox_file_t sandbox_xserver_t sandbox_min_t sandbox_min_client_t sandbox_x_t sandbox_x_client_t sandbox_web_t sandbox_web_client_t sandbox_net_t sandbox_net_client_t screen_home_t newrole_t setfiles_t spamc_home_t speech-dispatcher_home_t ssh_t ssh_home_t systemd_home_t telepathy_gabble_t telepathy_cache_home_t telepathy_gabble_cache_home_t telepathy_idle_t telepathy_logger_t telepathy_data_home_t telepathy_logger_cache_home_t telepathy_logger_data_home_t telepathy_mission_control_t telepathy_mission_control_home_t telepathy_mission_control_data_home_t telepathy_mission_control_cache_home_t telepathy_msn_t telepathy_salut_t telepathy_sofiasip_t telepathy_stream_engine_t telepathy_sunshine_t telepathy_sunshine_home_t thumb_t thumb_home_t tvtime_home_t uml_ro_t uml_rw_t user_t user_dbusd_t user_gkeyringd_t user_seunshare_t user_wine_t user_ssh_agent_t user_screen_t user_home_dir_t user_home_t user_tmp_t audio_home_t texlive_home_t home_bin_t home_cert_t chfn_t passwd_t svirt_t svirt_tcg_t virt_home_t svirt_home_t virt_content_t virt_bridgehelper_t svirt_socket_t vlock_t vmtools_t vmtools_helper_t vmware_conf_t vmware_file_t wine_home_t wireshark_home_t user_fonts_t user_fonts_cache_t user_fonts_config_t iceauth_t iceauth_home_t xauth_t xauth_home_t xdm_home_t };

Re: users-permissions

1. "You would also use seinfo to see what types a particular role can get", what does it mean "role can get"?

2. How can I (root) get info about the current user and role of another loggon user (I know about command: semanage user -l, but It doesn't show the current state but the state only after logon perticular user)

3. So does it mean that if I want to write policy ex: for JBoss application server,
shoud I create the new user and new role for it?
Because I'm going to add as little as possible permissions for it.
What the best practices are?

Re: users-permissions

> 1. "You would also use seinfo to see what types a particular role can get", what does it mean "role can get"?

Roles can only reach certain types. You are looking for allow rules, which are associated with types. A role can reach a certain group of types. In order to answer you question about the allow rules for a particular role you need to get the rules associated with the types a role can reach.

> 2. How can I (root) get info about the current user and role of another loggon user (I know about command: semanage user -l, but It doesn't show the current state but the state only after logon perticular user)

You would just grab the label of his current process, probably bash, it should show you the SELinux user associated with that user.

> 3. So does it mean that if I want to write policy ex: for JBoss application server,
shoud I create the new user and new role for it?
Because I'm going to add as little as possible permissions for it.
What the best practices are?

You want to define a type for your JBOSS Application, if this is run by the system you want to give it to the system_r role. If it is run by logged in users, then you need to add it to the ROLE of each user role you want to support.

Bottom line is start building your policy around the type.

  • 1