SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List RE: Sample SELinux policy that's equivalent to standard root? This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Maybe in reply to ] [ Next in thread ] [ Replies ] From: Inger, Slav (S.B.) <vinger_at_ford.com> Date: Wed, 24 Sep 2003 09:46:18 -0400 -----Original Message----- From: Russell Coker [mailto:russell@coker.com.au] Sent: Wednesday, September 24, 2003 9:22 AM To: Inger, Slav (S.B.); 'selinux@tycho.nsa.gov' Subject: Re: Sample SELinux policy that's equivalent to standard root? > The domain sysadm_t has 99% of the ability that "root" has on a non-SE > machine, of course you need to have both UID=0 and context > something:sysadm_r:sysadm_t to get full access. > > Adding the ability to directly read /etc/shadow, block devices, and the few > things that are denied to sysadm_t is easy enough. However in many cases > programs that you run will automatically transition to other domains which > have less access. For example fdisk has no access files on a file system. > So if you want to do "fdisk < /root/commands > /tmp/output" then it will not > work. > > Why would you want things to be other than they are in the default policy? Because, like I said in the earlier message, I'd like to start with full root permissions and tighten up, instead of doing it the other way around. Basically, I'd like to put together a quick POC where I'd like to demonstrate that while SE root can do everything a regular root can, several files and processes will be off limits to root. Enabling 99% of typical root functionality manually is turning out to be a time consuming process. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 24 Sep 2003 - 09:46:39 EDT This message: [ Message body ] Next message: Dale Amon: "Re: Some minor thoughts on syntax/semantics" Previous message: Russell Coker: "Re: Some minor thoughts on syntax/semantics" Maybe in reply to: Inger, Slav (S.B.): "Sample SELinux policy that's equivalent to standard root?" Next in thread: Russell Coker: "Re: Sample SELinux policy that's equivalent to standard root?" Reply: Russell Coker: "Re: Sample SELinux policy that's equivalent to standard root?" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom