[redhat-lspp] Re: Adminstrative Roles - Take Two
Daniel J Walsh
dwalsh at redhat.com
Thu May 11 16:30:54 UTC 2006
Michael C Thompson wrote:
> Daniel J Walsh wrote:
>> Michael C Thompson wrote:
>>> Hey all,
>>>
>>> I'm preempting the minutes from the call to begin a nice solidified
>>> list of things that constitute the permissions of the administrative
>>> users (and staff) on the system. As this gets developed, I will add
>>> it to the Fedora Wiki [ http://fedoraproject.org/wiki/SELinux ].
>>>
>>> I would like to focus more on talking about how the policy should
>>> work, and less about how the policy does work.
>>>
>>> There are 3 administrative roles and 2 user roles:
>>> sysadm_r
>>> secadm_r
>>> auditadm_r
>>>
>>> staff_r
>>> user_r
>>>
>>> From the notes I took on the call:
>>> ----------------------------------
>>>
>>> auditadm's privilages (for administrative actions) are limited to:
>>> auditctl, ausearch and aureport usage
>>> manage /etc/audit* files - this includes read and write
>>> start/stop auditd
>>> view/modify audit log
>>>
>>> Also, Dan said auditadm should be running @ SystemHigh, I know it
>>> affects the audit.log since that is at SystemHigh, but how much does
>>> this affect usage of the tools?
>>>
>>>
>>> secadm is the manager of SELinux policy, semanage tools, enforcing
>>> on/off, load policy, etc. secadm also has privilages to view audit
>>> logs, but not make modifications to them.
>>>
>>>
>>> sysadm does everything else that is not listed above. w.r.t. to an
>>> overlay on auditadm's privilages, the sysadm role can:
>>> start / stop auditd
>>> view /etc/audit* only
>>>
>>> This means sysadm does not have the privilage to modify any
>>> /etc/audit* files, or use any of the audit tools (auditctl, ausearch
>>> or aureport)
>>>
>>>
>>> Information not from the call I believe to be correct:
>>> ------------------------------------------------------
>>> user_r is not capable of taking any "administrative" actions, and
>>> otherwise normal user activities should work as expected.
>>>
>>> staff_r is the only "user" role which is capable of transitioning to
>>> the "administrative" roles, but can not do any administrative
>>> actions as the staff_r role.
>>>
>>> staff_t has the same privilages as user_r, with the additionally
>>> aforementioned transition privilages.
>>>
>>> secadm_r can load policy, etc. I would expect this is restricted
>>> only to the secadm_r role.
>>>
>>> secadm_r can load policy, etc. I would expect this is restricted
>>> only to the secadm_r role.
>>>
>>>
>>> Questions from arising from this data:
>>> --------------------------------------
>>> Should staff_r, sysadm_r, secadm_r and auditadm_r be capable of
>>> doing a newrole to any of the previously listed roles? The
>>> alternative is to require staff_r to be used to transition to a
>>> different administrative roles.
>> Roles do not transition. SELinux Users do . You can define which
>> roles a SELinux user can reach. And then you map Linux Users to
>> SELinux users.
>>
>> For example I can define an SELinux User "auditor" And then I can
>> give the auditor user the staff_r and auditadm_r. Then I would map
>> dwalsh to the auditor SELinux user. Now when I log in, I will
>> default to staff_r and be able to newrole to auditadm_r. I will not
>> be able to newrole to secadm_r or sysadm_r.
>
> Ah ha, I was confused. In policy much older, once you newrole'd from
> staff_r to either secadm_r or sysadm_r, you couldn't newrole to the
> other admin role without returning to staff_r. This is no longer true,
> but it was the source of the misunderstanding.
>
>>
>> Go to danwalsh.livejournal.com for a description on how to set this up.
>>> Can we more clearly define what privilages sysadm_r has that overlap
>>> into secadm_r's realm? See below for examples.
>>>
>>> "secadm is the manager of SELinux policy", so only secadm_r can make
>>> modifications to the policy. Can sysadm_r view the policy? I would
>>> expect auditadm_r to not be permitted to even view it.
>>>
>> sysadm_r can view policy.
>>> secadm_r can use the semanage tools, can sysadm_r?
>>>
>> No
>
> Should secadm_r be able to use useradd? Or is it intended that a Unix
> user is added as sysadm_r and then you should newrole to secadm_r to
> setup any non-default SELinux permissions?
I don't think so. secadm can only manipulate the selinux mapping. We
might want a boolean though since creating a user is going to be a royal
pain in the butt. (As my blog shows).
>
>>> auditadm_r seems very clearly defined, is anything missing?
>
> I take it that my description of auditadm is pretty solid then, I'm
> constructing an entry for the fedora wiki containing the information
> we've gleaned from this thread. I'll post it shortly and update
> accordingly.
Yes looks good. Now if we can just get /etc/auditd/ created :^)
>
>>>
>>>
>>> Thanks,
>>> Mike
>>>
>>
>
>
More information about the redhat-lspp
mailing list