9:58 a.m.
Hello,
I've a requirement to use a system as a root, but I need to move so offen to other
users and be able to move to their default SELinux user and roles.
As it appears to be, it is no a common thing to do, but is it possible without
implementing a new policy?
Regards
_________________________________________________________________
Get the best of MSN on your mobile
http://clk.atdmt.com/UKM/go/147991039/direct/01/
10:17 a.m.
It is possible i think yes.
As far as i know there are two requirements (example unconfined_r to
confined_r)
1. Your SELinux User must be mapped to both roles.
semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P user
special_u
2. Your source role must have access to your target role
allow unconfined_r confined_r;
(also make default context in /etc/selinux/targeted/contexts/users for
special_u)
The reason that this is supported by default is because it does not make
sense to transition from a unconfined domain to a confined domain. It
defeats the purpose of the unconfined domain.
Unconfined environments are used by processes that are exempted from
much of the policy enforcement.
In rare cases unconfined domain transition to restricted domains. For
example: one can toggle a boolean to force unconfined_t to transition to
nsplugin_t when the process runs nsplugin.
On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote:
Hello,
I've a requirement to use a system as a root, but I need to move so
offen to other users and be able to move to their default SELinux user
and roles.
As it appears to be, it is no a common thing to do, but is it possible
without implementing a new policy?
Regards
______________________________________________________________________
Beyond Hotmail - see what else you can do with Windows Live. Find out
more.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
11:12 a.m.
Hello,
As creating new simple role, I've done the following:
--------------
policy_module(new, 0.0.1)
role newroled_r;
role unconfined_r newroled_r;
------------------
But it does not compile using make, showing error near role unconfined.
Subject: Re: su or sudo from unconfined user to confined user
From: domg472(a)gmail.com
To: mrowais(a)hotmail.com
CC: fedora-selinux-list(a)redhat.com
Date: Tue, 23 Jun 2009 17:20:17 +0200
On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
> 2. Your source role must have access to your target role
> allow unconfined_r confined_r;
Whoops thats a syntax error. It should be:
role unconfined_r confined_r;
_________________________________________________________________
Get the best of MSN on your mobile
http://clk.atdmt.com/UKM/go/147991039/direct/01/
12:54 p.m.
On Tue, 2009-06-23 at 17:12 +0100, Mohamed Aburowais wrote:
Hello,
As creating new simple role, I've done the following:
--------------
policy_module(new, 0.0.1)
role newroled_r;
role unconfined_r newroled_r;
------------------
But it does not compile using make, showing error near role
unconfined.
Sorry i was right the first time:
allow unconfined_r confined_r;
So:
role unconfined_r confined_r;
is wrong...
> Subject: Re: su or sudo from unconfined user to confined user
> From: domg472(a)gmail.com
> To: mrowais(a)hotmail.com
> CC: fedora-selinux-list(a)redhat.com
> Date: Tue, 23 Jun 2009 17:20:17 +0200
>
> On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
>
> > 2. Your source role must have access to your target role
> > allow unconfined_r confined_r;
>
> Whoops thats a syntax error. It should be:
>
> role unconfined_r confined_r;
______________________________________________________________________
Beyond Hotmail - see what else you can do with Windows Live. Find out
more.
11:20 a.m.
On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
It is possible i think yes.
I could be wrong, but I think the original poster wanted a way he could
switch to another user's security context in its entirety using su or
sudo. Which today we do not support.
The original (and current) view is that the SELinux user field should
only get set when a session is created, and only role, type, and level
can change within a session and only then if within the authorized roles
and levels for the user. That bounds access escalation within a login
session. su doesn't affect the SELinux security context, and
newrole/sudo are limited to changing role, type, or level.
In early Fedora and RHEL 4, there was support for switching the entire
security context upon su, but that was removed. To re-instate it, you
would need to do two things:
1) Add the necessary policy rules to allow su to switch the entire
context. Look at the rules under an ifdef distro_rhel4 in su.if in the
refpolicy for example. You could add those as a local policy module
rather than rebuilding the base policy.
2) Add pam_selinux entries to /etc/pam.d/su. Look in /etc/pam.d/login
for an example of how to do so.
And I can't guarantee it will still work, as no one uses it that way
anymore.
As far as i know there are two requirements (example unconfined_r to
confined_r)
1. Your SELinux User must be mapped to both roles.
semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P user
special_u
2. Your source role must have access to your target role
allow unconfined_r confined_r;
(also make default context in /etc/selinux/targeted/contexts/users for
special_u)
The reason that this is supported by default is because it does not make
sense to transition from a unconfined domain to a confined domain. It
defeats the purpose of the unconfined domain.
Unconfined environments are used by processes that are exempted from
much of the policy enforcement.
In rare cases unconfined domain transition to restricted domains. For
example: one can toggle a boolean to force unconfined_t to transition to
nsplugin_t when the process runs nsplugin.
On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote:
> Hello,
> I've a requirement to use a system as a root, but I need to move so
> offen to other users and be able to move to their default SELinux user
> and roles.
> As it appears to be, it is no a common thing to do, but is it possible
> without implementing a new policy?
>
> Regards
>
>
> ______________________________________________________________________
> Beyond Hotmail - see what else you can do with Windows Live. Find out
> more.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
11:54 a.m.
This seems to be a bit complicated.
As a start I'm trying to create new role and new types, I want the new role to be
accessed by unconfined_r, having problem since my last email:
Compiling targeted new module
/usr/bin/checkmodule: loading policy configuration from tmp/new.tmp
new.te":6:ERROR 'unknown role unconfined_r' at token ';' on line
3189:
allow unconfined_r new_r;
role new_r types example_t;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/new.mod] Error 1
the file used: new.te
policy_module(new, 0.0.1)
role new_r;
type example_t;
role new_r types example_t;
allow unconfined_r new_r;
(both allow or role causing the same problem).
Subject: Re: su or sudo from unconfined user to confined user
From: sds(a)tycho.nsa.gov
To: domg472(a)gmail.com
CC: mrowais(a)hotmail.com; fedora-selinux-list(a)redhat.com
Date: Tue, 23 Jun 2009 12:20:38 -0400
On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
> It is possible i think yes.
I could be wrong, but I think the original poster wanted a way he could
switch to another user's security context in its entirety using su or
sudo. Which today we do not support.
The original (and current) view is that the SELinux user field should
only get set when a session is created, and only role, type, and level
can change within a session and only then if within the authorized roles
and levels for the user. That bounds access escalation within a login
session. su doesn't affect the SELinux security context, and
newrole/sudo are limited to changing role, type, or level.
In early Fedora and RHEL 4, there was support for switching the entire
security context upon su, but that was removed. To re-instate it, you
would need to do two things:
1) Add the necessary policy rules to allow su to switch the entire
context. Look at the rules under an ifdef distro_rhel4 in su.if in the
refpolicy for example. You could add those as a local policy module
rather than rebuilding the base policy.
2) Add pam_selinux entries to /etc/pam.d/su. Look in /etc/pam.d/login
for an example of how to do so.
And I can't guarantee it will still work, as no one uses it that way
anymore.
> As far as i know there are two requirements (example unconfined_r to
> confined_r)
>
> 1. Your SELinux User must be mapped to both roles.
> semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P user
> special_u
>
> 2. Your source role must have access to your target role
> allow unconfined_r confined_r;
>
> (also make default context in /etc/selinux/targeted/contexts/users for
> special_u)
>
> The reason that this is supported by default is because it does not make
> sense to transition from a unconfined domain to a confined domain. It
> defeats the purpose of the unconfined domain.
>
> Unconfined environments are used by processes that are exempted from
> much of the policy enforcement.
>
> In rare cases unconfined domain transition to restricted domains. For
> example: one can toggle a boolean to force unconfined_t to transition to
> nsplugin_t when the process runs nsplugin.
>
>
> On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote:
> > Hello,
> > I've a requirement to use a system as a root, but I need to move so
> > offen to other users and be able to move to their default SELinux user
> > and roles.
> > As it appears to be, it is no a common thing to do, but is it possible
> > without implementing a new policy?
> >
> > Regards
> >
> >
> > ______________________________________________________________________
> > Beyond Hotmail - see what else you can do with Windows Live. Find out
> > more.
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
_________________________________________________________________
Share your photos with Windows Live Photos – Free.
http://clk.atdmt.com/UKM/go/134665338/direct/01/
12:57 p.m.
On Tue, 2009-06-23 at 17:54 +0100, Mohamed Aburowais wrote:
This seems to be a bit complicated.
As a start I'm trying to create new role and new types, I want the new
role to be accessed by unconfined_r, having problem since my last
email:
Compiling targeted new module
/usr/bin/checkmodule: loading policy configuration from tmp/new.tmp
new.te":6:ERROR 'unknown role unconfined_r' at token ';' on line
3189:
allow unconfined_r new_r;
role new_r types example_t;
/usr/bin/checkmodule: error(s) encountered while parsing
configuration
make: *** [tmp/new.mod] Error 1
the file used: new.te
policy_module(new, 0.0.1)
role new_r;
type example_t;
role new_r types example_t;
allow unconfined_r new_r;
(both allow or role causing the same problem).
Looks like you must require unconfined_r:
require { role unconfined_r; }
> Subject: Re: su or sudo from unconfined user to confined user
> From: sds(a)tycho.nsa.gov
> To: domg472(a)gmail.com
> CC: mrowais(a)hotmail.com; fedora-selinux-list(a)redhat.com
> Date: Tue, 23 Jun 2009 12:20:38 -0400
>
> On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
> > It is possible i think yes.
>
> I could be wrong, but I think the original poster wanted a way he
could
> switch to another user's security context in its entirety using su
or
> sudo. Which today we do not support.
>
> The original (and current) view is that the SELinux user field
should
> only get set when a session is created, and only role, type, and
level
> can change within a session and only then if within the authorized
roles
> and levels for the user. That bounds access escalation within a
login
> session. su doesn't affect the SELinux security context, and
> newrole/sudo are limited to changing role, type, or level.
>
> In early Fedora and RHEL 4, there was support for switching the
entire
> security context upon su, but that was removed. To re-instate it,
you
> would need to do two things:
> 1) Add the necessary policy rules to allow su to switch the entire
> context. Look at the rules under an ifdef distro_rhel4 in su.if in
the
> refpolicy for example. You could add those as a local policy module
> rather than rebuilding the base policy.
> 2) Add pam_selinux entries to /etc/pam.d/su. Look
in /etc/pam.d/login
> for an example of how to do so.
>
> And I can't guarantee it will still work, as no one uses it that way
> anymore.
>
> > As far as i know there are two requirements (example unconfined_r
to
> > confined_r)
> >
> > 1. Your SELinux User must be mapped to both roles.
> > semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P
user
> > special_u
> >
> > 2. Your source role must have access to your target role
> > allow unconfined_r confined_r;
> >
> > (also make default context in /etc/selinux/targeted/contexts/users
for
> > special_u)
> >
> > The reason that this is supported by default is because it does
not make
> > sense to transition from a unconfined domain to a confined domain.
It
> > defeats the purpose of the unconfined domain.
> >
> > Unconfined environments are used by processes that are exempted
from
> > much of the policy enforcement.
> >
> > In rare cases unconfined domain transition to restricted domains.
For
> > example: one can toggle a boolean to force unconfined_t to
transition to
> > nsplugin_t when the process runs nsplugin.
> >
> >
> > On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote:
> > > Hello,
> > > I've a requirement to use a system as a root, but I need to move
so
> > > offen to other users and be able to move to their default
SELinux user
> > > and roles.
> > > As it appears to be, it is no a common thing to do, but is it
possible
> > > without implementing a new policy?
> > >
> > > Regards
> > >
> > >
> > >
______________________________________________________________________
> > > Beyond Hotmail - see what else you can do with Windows Live.
Find out
> > > more.
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list(a)redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> --
> Stephen Smalley
> National Security Agency
>
______________________________________________________________________
View your Twitter and Flickr updates from one place – Learn more!
12:05 p.m.
On Tue, 2009-06-23 at 12:20 -0400, Stephen Smalley wrote:
On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
> It is possible i think yes.
I could be wrong, but I think the original poster wanted a way he could
switch to another user's security context in its entirety using su or
sudo. Which today we do not support.
The original (and current) view is that the SELinux user field should
only get set when a session is created, and only role, type, and level
can change within a session and only then if within the authorized roles
and levels for the user. That bounds access escalation within a login
session. su doesn't affect the SELinux security context, and
newrole/sudo are limited to changing role, type, or level.
In early Fedora and RHEL 4, there was support for switching the entire
security context upon su, but that was removed. To re-instate it, you
would need to do two things:
1) Add the necessary policy rules to allow su to switch the entire
context. Look at the rules under an ifdef distro_rhel4 in su.if in the
refpolicy for example. You could add those as a local policy module
rather than rebuilding the base policy.
2) Add pam_selinux entries to /etc/pam.d/su. Look in /etc/pam.d/login
for an example of how to do so.
And I can't guarantee it will still work, as no one uses it that way
anymore.
Oh, but I forgot that he is starting from unconfined_t, so it isn't
quite that complicated, as su doesn't even run in its own domain when
called by unconfined_t.
This worked for me:
# vi foo.te
policy_module(foo, 1.0)
require {
type unconfined_t;
type user_t;
role unconfined_r;
role user_r;
}
allow unconfined_t user_t:process transition;
allow unconfined_r user_r;
# make -f /usr/share/selinux/devel/Makefile foo.pp
# semodule -i foo.pp
# runcon user_u:user_r:user_t:s0 /bin/bash
# id -Z
user_u:user_r:user_t:s0
So you could use runcon to switch contexts (since you are starting from
unconfined_t), and then use su to switch Linux uid.
--
Stephen Smalley
National Security Agency
5434
days inactive
5434
days old
selinux@lists.fedoraproject.org
8 comments
3 participants
participants (3)
-
Dominick Grift -
Mohamed Aburowais -
Stephen Smalley