SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Sample config This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Stephen Smalley <sds_at_epoch.ncsc.mil> Date: 17 Oct 2003 11:56:24 -0400 On Fri, 2003-10-17 at 11:38, Inger, Slav (S.B.) wrote: > Hi, > > In my environment, 'root' has a role of sysadm_r. Running SELinux in > permissive mode and looking at the avc messages, all violations apply > to the kernel_t context. Also, all of the processes on the system seem > to be running in kernel_t context as well. I can use newrules.pl to relax > the rules (basically add a bunch of 'allow kernel_t' lines, but that's not > the point. What I would like to demonstrate is that user 'root' can do > all of his normal sysadmin chores EXCEPT kill some process or rm some file. > Let's say he shouldn't be able to kill sshd and overwrite or remove > /var/log/messages (but appending is fine). This is pretty easy to do > with LIDS, I need to know how administratively intensive it is to set > up these rules in SELinux. What specific rules do I need to > add/remove/change to make what I'm asking for happen? Thanks in advance. First, you need to get your system into a working state, which it isn't if everything is running in kernel_t. Did you label your filesystem? Does ls --context /sbin/init show the correct context? If not, then relabel your filesystem and reboot as per the README. If it is labeled correctly, then another possible explanation is that you didn't load the policy via an initrd prior to executing /sbin/init, so the domain transition didn't occur. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Fri 17 Oct 2003 - 11:56:32 EDT This message: [ Message body ] Next message: Inger, Slav (S.B.): "RE: Sample config" Previous message: Inger, Slav (S.B.): "Sample config" In reply to: Inger, Slav (S.B.): "Sample config" Next in thread: Inger, Slav (S.B.): "RE: Sample config" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom