LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices


Reply
  Search this Thread
Old 02-26-2014, 03:33 PM   #1
cquick197
LQ Newbie
 
Registered: Feb 2014
Posts: 15

Rep: Reputation: 0
SELinux configuration help on CentOS 6.5


Hello,
I am trying to use the principle of least privilege, possibly to the extreme. Basically what I want to do, is create a role in SELinux, and rules to allow any user in that role to only be able to update the system and install/uninstall applications using Yum, and absolutely nothing else. I'm not sure I quite understand the whole concept of this, but I thought SELinux denied everything by default unless you explicitly allow it?

I will walkthrough exactly what I have done to set everything up, and please let me know what I am doing wrong, or what I need to do further. Please bear with me if I am doing everything completely wrong, but I have only been learning SELinux for the past few days...

First, I would create a userroles.te file to define the new roles I would like to use.
Code:
module userroles 1.0;

require{
type systemadmin_t;
role systemadmin_r;
}

type systemadmin_t;
role systemadmin_r types { systemadmin_t };
I install this module with:
Code:
$checkmodule -M -m -o userroles.mod userroles.te
$semodule_package -o userroles.pp -m userroles.mod
$semodule -I ./userroles.pp
Next, I used the system-config-selinux GUI to create an SELinux user, giving it the name of 'systemadmin_u', and the role of 'systemadmin_r'.

Then I used the GUI to map the Linux user 'systemadmin' to 'systemadmin_u'. Now I believe at this point, the users and role is configure properly... So when I log in as 'systemadmin' I think when I run 'id -Z' it should display 'systemadmin_u:systemadmin_r:systemadmin_t:s0', but it doesn't, it displays "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" Pretty sure this is a big problem, but I'll still go on for now...

Then according to how I think SELinux works, by denying EVERYTHING except what I tell it to, the role of 'systemadmin_r' should have zero permissions, right? So now all I would need to do is add this line to the end of my userroles.te file and recompile?
Code:
allow systemadmin_t rpm_exec_t:file {getattr read execute};
(Plus "type rpm_exec_t" and "class file getattr, etc" in the require block)

What am I doing wrong? I have been reading and reading and I truly cannot find very much information on SELinux, which is extremely surprising to me considering how big it is.

Again, all I want to do is create a user that has absolutely no permissions to do anything on the system, except update and install/uninstall applications using Yum. Is my thought process even remotely close to what I want? I am so lost... Thank you in advance for your help!

Last edited by cquick197; 02-26-2014 at 03:34 PM.
 
Old 02-26-2014, 05:46 PM   #2
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,465

Rep: Reputation: 2606Reputation: 2606Reputation: 2606Reputation: 2606Reputation: 2606Reputation: 2606Reputation: 2606Reputation: 2606Reputation: 2606Reputation: 2606Reputation: 2606
i would use "sudo" for that
allow only "yum update" to be used

SE is not a good tool for that

As to install and uninstall software
allowing someone that you do not TRUST !!!!! with the root password to be able to do that
is asking for PROBLEMS

because someone that you DO NOT trust will be able to do this
Code:
yum uninstall lib*
---- or ----
yum remove yum yum*
 
Old 02-27-2014, 09:38 AM   #3
cquick197
LQ Newbie
 
Registered: Feb 2014
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by John VV View Post
i would use "sudo" for that
allow only "yum update" to be used

SE is not a good tool for that

As to install and uninstall software
allowing someone that you do not TRUST !!!!! with the root password to be able to do that
is asking for PROBLEMS

because someone that you DO NOT trust will be able to do this
Code:
yum uninstall lib*
---- or ----
yum remove yum yum*

It isn't so much as the user isn't trusted, as much as the security policy for the box. It specifically requires SELinux to be used, unfortunately. I would have done the sudo thing too elsewise. The requirements are very specific, although I am just looking for an example to block everything and allow a few specifics to be able to configure everything else. It isn't specifically that the user can't do anything else I just want an example to build off of and allow more things down the road, but still keeping the philosophy of "bare minimum privilages". Thank you for your comment though. Is it possible to do this in SELinux, even though it may not be the best way?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux configuration after change to init 5 carlwilson Linux - Security 5 05-02-2013 03:21 PM
[SOLVED] Disabling SELinux on CentOS domain controller Jadedkill Linux - Security 3 10-24-2011 04:11 PM
SELinux & vBulletin (CentOS 5.2) sxa Linux - Security 1 02-04-2009 10:58 PM
SELinux Security Level Configuration modernsaint Linux - Security 2 12-10-2007 02:21 AM
SELINUX configuration help... stanford Linux - Server 3 03-21-2007 06:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat

All times are GMT -5. The time now is 06:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration