From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
Date: Fri, 30 Sep 2011 17:36:12 +0000 (UTC) [thread overview]
Message-ID: <6ae1cd1ee8b563b826ee0c669bb7cdb4077cc1fc.SwifT@gentoo> (raw)
commit: 6ae1cd1ee8b563b826ee0c669bb7cdb4077cc1fc
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Sep 30 17:35:58 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Sep 30 17:35:58 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6ae1cd1e
Update new selinux handbook, information on selinux users and login mappings
---
xml/selinux/hb-using-configuring.xml | 243 +++++++++++++++++++++++++++++++++-
1 files changed, 237 insertions(+), 6 deletions(-)
diff --git a/xml/selinux/hb-using-configuring.xml b/xml/selinux/hb-using-configuring.xml
index 139295d..78ace4f 100644
--- a/xml/selinux/hb-using-configuring.xml
+++ b/xml/selinux/hb-using-configuring.xml
@@ -8,7 +8,7 @@
<sections>
<version>1</version>
-<date>2011-09-18</date>
+<date>2011-09-30</date>
<section>
<title>Administering Users</title>
@@ -45,12 +45,12 @@ and SELinux users.
<pre caption="Running semanage login -l">
# <i>semanage login -l</i>
-Login Name SELinux User
+Login Name SELinux User
-__default__ user_u
-root root
-john staff_u
-system_u system_u
+__default__ user_u
+root root
+john staff_u
+system_u system_u
</pre>
<p>
@@ -60,6 +60,237 @@ not defined otherwise. This makes sure that a newly defined account does not get
elevated privileges by default.
</p>
+<p>
+The next table gives an overview of the standard SELinux users available after
+an installation.
+</p>
+
+<table>
+<tr>
+ <th>SELinux User</th>
+ <th>Description</th>
+</tr>
+<tr>
+ <ti>user_u</ti>
+ <ti>
+ Default regular SELinux user, which should be used by end-user accounts that
+ are not going to administer any service(s) on the system
+ </ti>
+</tr>
+<tr>
+ <ti>staff_u</ti>
+ <ti>
+ SELinux user for administrators. This user has the right to switch roles and
+ as such gain elevated privileges
+ </ti>
+</tr>
+<tr>
+ <ti>root</ti>
+ <ti>
+ SELinux user for the root account. It differs little from the staff_u
+ account beyond being a different ID. This ensures that files protected by
+ the user based access control for root cannot be handled by the staff_u
+ (and other) users
+ </ti>
+</tr>
+<tr>
+ <ti>sysadm_u</ti>
+ <ti>
+ SELinux user for system administration. By default, this account is not
+ immediately used as this user immediately gets the administrative role
+ (whereas staff_u and root still need to switch roles).
+ </ti>
+</tr>
+<tr>
+ <ti>system_u</ti>
+ <ti>
+ SELinux user for system services. It should never be used for end users or
+ administrators as it provides direct access to the system role (and
+ privileges)
+ </ti>
+</tr>
+<tr>
+ <ti>unconfined_u</ti>
+ <ti>
+ Used when the policy is <e>targeted</e>, this SELinux user has many
+ privileges (it is essentially not limited in its actions, although it is
+ still handled through SELinux - just through a "wide open" policy).
+ </ti>
+</tr>
+</table>
+
+<p>
+To map a user to a specific SELinux user, use <c>semanage login -a</c>:
+</p>
+
+<pre caption="Mapping a user 'sophie' to the staff_u user">
+# <i>semanage login -a -s staff_u sophie</i>
+</pre>
+
+<p>
+However, when you update such mapping, the files in that users' home directory
+will be owned by a wrong SELinux user. It is therefor important to relabel the
+files of that user:
+</p>
+
+<pre caption="Relabeling sophie's files">
+# <i>restorecon -R -F /home/sophie</i>
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>Additional SELinux Accounts</title>
+<body>
+
+<p>
+It is perfectly possible to create additional SELinux accounts, and then map the
+Linux logins to these new accounts. This can be necessary when you want a more
+thorough auditing (on end user level) or when you will be enhancing the policy
+with additional roles. Also, if you want to use the User Based Access Control
+feature, using different SELinux users is important to enforce the control on
+different users (if they all use the same SELinux user, then UBAC has little to
+no effect).
+</p>
+
+<p>
+Managing the SELinux accounts is done through <c>semanage user</c>:
+</p>
+
+<pre caption="Creating a SELinux user">
+# <i>semanage user -a -R "staff_r sysadm_r" sophie</i>
+</pre>
+
+<p>
+Let's verify how the SELinux users are currently configured:
+</p>
+
+<pre caption="Checking the SELinux user identities">
+# <i>semanage user -l</i>
+SELinux User SELinux Roles
+
+root staff_r sysadm_r
+sophie staff_r sysadm_r
+staff_u staff_r sysadm_r
+sysadm_u sysadm_r
+system_u system_r
+unconfined_u unconfined_r
+user_u user_r
+
+# <i>semanage login -l</i>
+Login Name SELinux User
+
+__default__ user_u
+root root
+sophie staff_u
+swift staff_u
+system_u system_u
+</pre>
+
+<p>
+Now that a new SELinux user called "sophie" exists, we can now update the Linux
+user mapping for "sophie" towards the new SELinux user "sophie":
+</p>
+
+<pre caption="Updating the Linux user mapping">
+# <i>semanage login -m -s sophie sophie</i>
+# <i>semanage login -l</i>
+Login Name SELinux User
+
+__default__ user_u
+root root
+sophie sophie
+swift staff_u
+system_u system_u
+</pre>
+
+<p>
+Again, do not forget to relabel this users' files.
+</p>
+
+<p>
+As you can see, managing SELinux users means defining the roles to which the
+user has access to. We already gave a high-level introduction to the default
+roles in <uri link="?part=1&chap=2">SELinux Concepts</uri>, but as roles are
+important when using a Mandatory Access Control system, let's refresh our memory
+again:
+</p>
+
+<table>
+<tr>
+ <th>SELinux Role</th>
+ <th>Description</th>
+</tr>
+<tr>
+ <ti>user_r</ti>
+ <ti>
+ Default end-user role. This role provides access to regular applications and
+ activities, but does not allow any system or service administration beyond
+ what is expected for a regular user.
+ </ti>
+</tr>
+<tr>
+ <ti>staff_r</ti>
+ <ti>
+ Default administration role for day-to-day activities. This role has some
+ additional privileges beyond what is offered through user_r, but is not a
+ full system administrative role. It is meant for the non-administrative
+ activities done by operators and administrators
+ </ti>
+</tr>
+<tr>
+ <ti>sysadm_r</ti>
+ <ti>
+ System administration role. This role is highly privileged (since it also
+ contains the privileges to update the policy) and should only be given to
+ fully trusted administrators. It is almost never immediately granted to
+ users (they first need to switch roles) except for direct root access (for
+ instance through the console)
+ </ti>
+</tr>
+<tr>
+ <ti>system_r</ti>
+ <ti>
+ System service role, which is used for the runtime services (processes). It
+ is never granted to users directly.
+ </ti>
+</tr>
+<tr>
+ <ti>unconfined_r</ti>
+ <ti>
+ The unconfined role is used when the <e>targeted</e> policy is supported.
+ This role is given to unconfined users (such as the SELinux unconfined_u
+ user) which have very wide privileges (they almost run without constraints).
+ </ti>
+</tr>
+</table>
+
+<p>
+It should be noted that these roles are the default ones, but the security
+administrator - yes, that means you - can create additional roles and add
+particular privileges to it. We will discuss this later in this book as it means
+you'll need to update the Gentoo Hardened SELinux policy.
+</p>
+
+</body>
+</subsection>
+</section>
+
+<section>
+<title>Using (File) Labels</title>
+<subsection>
+<title>Introduction</title>
+<body>
+
+<p>
+Within SELinux, access privileges are based on the label given on the
+originating part (called the <e>domain</e>) and its target resource. For
+instance, a process running in the passwd_t domain wants to read (= privilege)
+the file <path>/etc/shadow</path> which is labeled shadow_t (= the target
+resouce). It comes to no surprise then that the majority of SELinux
+administration is (re)labeling the resources.
+</p>
+
</body>
</subsection>
</section>
next reply other threads:[~2011-09-30 17:36 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-30 17:36 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-05-07 20:20 [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ Sven Vermeulen
2012-05-07 20:07 Sven Vermeulen
2012-05-05 18:56 Sven Vermeulen
2012-04-29 14:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-05 16:24 Sven Vermeulen
2012-03-01 20:09 Sven Vermeulen
2012-01-29 12:42 Sven Vermeulen
2012-01-21 13:20 Sven Vermeulen
2011-12-17 10:52 Sven Vermeulen
2011-12-11 14:39 Sven Vermeulen
2011-12-11 14:36 Sven Vermeulen
2011-12-10 14:00 Sven Vermeulen
2011-11-22 20:08 Sven Vermeulen
2011-11-11 19:59 Sven Vermeulen
2011-10-27 19:18 José María Alonso
2011-10-26 22:05 José María Alonso
2011-10-23 13:01 Sven Vermeulen
2011-10-19 12:55 Sven Vermeulen
2011-10-15 18:24 Sven Vermeulen
2011-10-15 17:43 Sven Vermeulen
2011-10-15 17:12 Sven Vermeulen
2011-10-15 15:54 Sven Vermeulen
2011-10-15 15:18 Sven Vermeulen
2011-10-15 13:04 Sven Vermeulen
2011-10-15 13:04 Sven Vermeulen
2011-09-18 13:49 Sven Vermeulen
2011-09-11 9:51 Sven Vermeulen
2011-09-04 19:22 Sven Vermeulen
2011-08-16 16:58 José María Alonso
2011-08-12 21:00 Sven Vermeulen
2011-07-22 16:03 Sven Vermeulen
2011-07-21 19:11 Sven Vermeulen
2011-07-13 21:39 Sven Vermeulen
2011-07-09 18:56 Sven Vermeulen
2011-06-09 18:54 José María Alonso
2011-06-09 17:49 Sven Vermeulen
2011-06-09 17:40 Francisco Blas Izquierdo Riera
2011-06-09 17:24 Sven Vermeulen
2011-06-07 19:38 Sven Vermeulen
2011-06-07 19:26 Sven Vermeulen
2011-06-02 19:50 Sven Vermeulen
2011-06-02 11:57 Sven Vermeulen
2011-06-02 11:55 Sven Vermeulen
2011-06-02 11:03 Sven Vermeulen
2011-06-02 11:03 Sven Vermeulen
2011-05-31 20:22 Sven Vermeulen
2011-05-31 20:16 Sven Vermeulen
2011-05-31 20:16 Sven Vermeulen
2011-05-24 20:39 Sven Vermeulen
2011-05-24 19:56 Sven Vermeulen
2011-05-20 19:32 Sven Vermeulen
2011-05-14 12:51 Sven Vermeulen
2011-05-13 19:43 Sven Vermeulen
2011-05-03 20:47 Sven Vermeulen
2011-05-03 20:12 Sven Vermeulen
2011-04-22 21:43 Sven Vermeulen
2011-04-22 19:30 Sven Vermeulen
2011-04-22 19:28 Sven Vermeulen
2011-04-22 19:05 Sven Vermeulen
2011-04-22 19:05 Sven Vermeulen
2011-04-22 10:32 Sven Vermeulen
2011-04-22 10:32 Sven Vermeulen
2011-04-16 9:06 Sven Vermeulen
2011-04-15 19:10 Sven Vermeulen
2011-04-15 17:52 Sven Vermeulen
2011-04-15 17:52 Sven Vermeulen
2011-04-10 7:49 Sven Vermeulen
2011-04-01 17:45 Sven Vermeulen
2011-03-09 16:54 Sven Vermeulen
2011-03-02 20:48 Sven Vermeulen
2011-03-02 20:38 Sven Vermeulen
2011-03-02 20:38 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 15:53 Sven Vermeulen
2011-02-24 21:19 Sven Vermeulen
2011-02-20 13:26 Sven Vermeulen
2011-02-19 17:00 Francisco Blas Izquierdo Riera
2011-02-19 3:21 Francisco Blas Izquierdo Riera
2011-02-19 3:12 Francisco Blas Izquierdo Riera
2011-02-13 18:20 Sven Vermeulen
2011-02-12 23:44 Sven Vermeulen
2011-02-12 23:44 Sven Vermeulen
2011-02-12 20:50 Sven Vermeulen
2011-02-12 20:49 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 17:33 Sven Vermeulen
2011-02-06 19:53 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6ae1cd1ee8b563b826ee0c669bb7cdb4077cc1fc.SwifT@gentoo \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox