headers
Markus Bartl | 27 Sep 15:37
Favicon

weak policy?

Hi there.

Ive got my SELinux kernel up and running.
What im wondering about is that i can restart services without changing 
to the sysadm_r role.
Im logged on as root but root belongs only to staff_r.
Do I have to worry about it or is this just as expected?
Im new to SELinux. Just dealed with regular hardened stuff so I get lost 
in the basics i guess.

Regards,
Markus
Permalink | Reply |
headers
nixnut | 27 Sep 16:20
Favicon

Re: weak policy?

Hello Markus,

On Sat, 27 Sep 2008 15:38:51 +0200
Markus Bartl <hardened@...> wrote:

> Hi there.
> 
> Ive got my SELinux kernel up and running.
> What im wondering about is that i can restart services without
> changing to the sysadm_r role.
> Im logged on as root but root belongs only to staff_r.
> Do I have to worry about it or is this just as expected?
> Im new to SELinux. Just dealed with regular hardened stuff so I get
> lost in the basics i guess.

root being staff_r after logging in is expected. There's no need to
give it extra priviliges unless root is actually going to do something
that requires them. In that case root is expected to use newrole to
change his role to sysadm_r.

regards,
nixnut
Permalink | Reply |
headers
Mike Edenfield | 28 Sep 04:25

Re: weak policy?

Markus Bartl wrote:
> Hi there.
> 
> Ive got my SELinux kernel up and running.
> What im wondering about is that i can restart services without changing 
> to the sysadm_r role.

Are you prompted for the root password when you execute one 
of the init.d scripts?  And are you in permissive mode or 
enforcing mode?

In general, a *lot* of strange problems with SELinux are 
caused by mislabeled file systems.  If certain executables 
aren't labeled correctly, even in permissive mode, it will 
prevent the correct transitions from happening and produce 
odd symptoms later on.  One common symptom of this is the rc 
system not cooperating with SELinux.

I would suggest you relabel everything: rlpkg -a -r
then reboot and see if your behavior is more what you expected.

--K
Permalink | Reply |
headers
Markus Bartl | 28 Sep 09:27
Favicon

Re: weak policy?

Mike Edenfield schrieb:
> Markus Bartl wrote:
>> Hi there.
>>
>> Ive got my SELinux kernel up and running.
>> What im wondering about is that i can restart services without 
>> changing to the sysadm_r role.
>
> Are you prompted for the root password when you execute one of the 
> init.d scripts?  And are you in permissive mode or enforcing mode?
>
> In general, a *lot* of strange problems with SELinux are caused by 
> mislabeled file systems.  If certain executables aren't labeled 
> correctly, even in permissive mode, it will prevent the correct 
> transitions from happening and produce odd symptoms later on.  One 
> common symptom of this is the rc system not cooperating with SELinux.
>
> I would suggest you relabel everything: rlpkg -a -r
> then reboot and see if your behavior is more what you expected.
>
> --K
>
Hi there.

Do i have to relabel while being in the sysadm_r role?
Im running in permissive mode. If i change to enforcing i cant even do 
an ls on my own (/root) directory without changing to sysadm_r.
Many strange things...
(Continue reading)

Permalink | Reply |

Gmane