[redhat-lspp] Re: Adminstrative Roles - Take Two
Michael C Thompson
thompsmc at us.ibm.com
Fri May 12 20:24:13 UTC 2006
Michael C Thompson wrote:
> secadm is the manager of SELinux policy, semanage tools, enforcing
> on/off, load policy, etc. secadm also has privilages to view audit
> logs, but not make modifications to them.
What SELinux tools should secadm_r and sysadm_r be allowed to use? My
list of tools is derived from the fedora wiki's SELinux Commands page [
http://fedoraproject.org/wiki/SELinux/Commands ]
I'll list what does work currently, please add corrections if what is
currently working is _not_ as intended. Note, this is only weather or
not the role can successfully execute the program, not whether the
program allows circumvention of privilages. Unless otherwise specified,
the commands were tested with the adminstrative role at
SystemLow-SystemHigh and at SystemHigh.
avcstat - all 3 can use.
audit2allow - all 3 can use.
audit2why - all 3 can execute, but there are various restrictions:
sysadm_r:SystemLow-SystemHigh :: can't read audit.log, OK
secadm_r:SystemLow-SystemHigh :: can't read policy file! BAD?
auditadm_r:SystemLow-SystemHigh :: can't read policy file, BAD?
sysadm_r:SystemHigh :: can't read audit.log, OK
secadm_r:SystemHigh :: no problems
auditadm_r:SystemHigh :: no problems
- sysadm_r can read the policy file at either level, but not the
audit log
- secadm_r & auditadm_r can read the policy and audit.log once
at SystemHigh, but can't read policy at SystemLow
chcat - all 3 can use.
checkmodule - all 3 can execute.
checkpolicy - only secadm_r can execute.
chcon - all 3 can use.
fixfiles - all 3 can use.
genhomedircon -
sysadm can execute, but is deined access to libsemanage functionality
secadm can execute and utility shows no errors.
auditadm can use at SystemLow-SystemHigh, but not at SystemHigh
getsebool - all 3 can use.
getenforce - all 3 can use.
load_policy - only secadm_r can execute
matchpathcon - all 3 can use.
restorecon - only sysadm and secadm can use, auditadm can not use
run_init - only sysadm can use
- currently getting execvp defined message after authentication
selinuxenabled - all 3 can use.
semanage - all 3 can execute
sysadm_r can not access policy file, but can execute
secadm_r can get useful information out
auditadm_r can get useful information out if at SystemHigh
semodule - only secadm_r can execute.
semodule_expand - all 3 can execute.
semodule_link - all 3 can execute.
semodule_package - all 3 can execute.
sestatus - all 3 can execute.
setenforce - all 3 can exexute, only secadm_r can setenforce 0
setfiles - only secadm_r can execute.
setsebool - all 3 can execute
- only secadm_r:SystemHigh can actually set anything
system-config-securitylevel - all 3 can execute, but what does it do?
Tools from TreySys:
apol - all 3 can execute, requires GUI which I don't have installed.
seaudit - all 3 can execute, requires GUI which I don't have installed.
seaudit_report - all 3 can execute
sechecker - all 3 can execute
seinfo - all 3 can execute
- secadm_r:SystemLow-SystemHigh & auditadm_r:SystemLow-SystemHigh can
not open policy file, all other contexts can
sesearch - all 3 can execute.
findcon - not installed, what provides this?
replcon - not installed, what provides this?
indexcon - not installed, what provides this?
searchcon - not installed, what provides this?
That's my "short" list. Should there be any more MLS levels that admin's
are expected to exist at that I am missing?
Mike
More information about the redhat-lspp
mailing list