donderdag 25 juni 2009

SELinux Lockdown Part Seven: SU, Newrole, Sudo and Run_init.

Before Fedora 9 was released users with access to roles would execute the newrole command to Domain Transition. This command can be installed as policycoreutils-newrole. The user would for example run: newrole -r , and get prompted to enter his user password. The newrole command would than verify whether the users has all access that is required to make the requested domain transition and allow or deny it.

If the user Transitioned to a privileged User Domain and wanted to perform a privileged task, he would then execute the SU command to meet that Discretionary Access Control requirements. The SU command prompts for the root password.

In a strict environment to become a privileged user, one would run two programs and enter two seperate passwords. A privileged user would require access to roots password to perform any privileged task this way.

For a user such as this to run a system service the is another command to execute. The Run_init command performs a Domain transition to the Init Script which in turn starts a system service in its proper Domain. This program also prompts for a password.

That is a lot of passwords and commands just to restart Apache for example.

In Fedora 9 the sudo command was modified to support Domain Transitions. The use of the sudo command is recommended over the SU and Newrole command.
Two main advantages of the Sudo command are that this command allows you to change Linux uid and SElinux Domain Transition in one turn and that you do not need the root password to do so as long as you are added to the /etc/sudoers configuration file.

The destination Domain can be specified as a parameter of the -t option, and the destination role can be specified as a parameter of the -r option. Sudo can also be configured to Transition to a specified role and domain by default in its /etc/sudoers file.

For example: Linux user joe logs into the system as SELinux user joe_u. SELinux User joe_u has access to the joe_r role as well as the webadm_r role and the system_r role. The joe_r role maps to the joe_t User Domain which has all the permissions required for a restricted login user. The joe_t User Domain has access to the system_r role as well as the webadm_r role in policy. An entry for joe in /etc/sudoers is as follows:

joe ALL=(ALL) TYPE=webadm_t ROLE=webadm_r ALL

This entry allows Sudo to transition user joe to webadm_r role and webadm_t role automatically when joe run the sudo command.

Joe logs in and finds himself in the joe_t User Domain. Then when Joe wants to start the Apache service he simple runs: sudo service httpd start.

Sudo changes Joes Linux UID to 0 and transitions Joes' Domain and Role automatically to the specified Role and Domain webadm_t and webadm_r.

Joe also has access to the system_r role that is required to transition to the Init script domain which starts httpd in its proper Domain. The Run_init command is no longer required.

If Joe has access to several roles then Joe can override the default role and domain specified in the Sudo configuration file by specifying the -t and -r options with the destination role and domain parameters.


Prefer the Sudo command over the SU with Newrole commands.
Prefer access to the system_r role over the Run_init command.

Refer: man su, man sudo, man newrole, man run_init

Geen opmerkingen:

Een reactie posten