Distinguish sysadm and secadm roles

Today, I would like to focus on more advance feature in SELinux technology which are confined users. I wrote several posts where I described how confined users could mitigate CVEs on your system and provide strict control of Linux users. Maybe in future, I could cover how to configure SELinux to confine your Linux users, but for now, more information you can find on https://danwalsh.livejournal.com/ .

Several people in selinux-policy bugzillas trying to solve issue to distinguish sysadm_r and secadm_r roles in SELinux.

From documentation, secadm_r is defined as “secadm_r can only administrate SELinux”. I like idea that *only* “secadm_r:secadm_t” can administrate SELinux, it can reduce attack vectors to modify/disable SELinux on the system.

In current situation also sysadm_r could administrate SELinux by default. There is a possibility to disable/remove sysadm_secadm.pp SELinux module (in this module sysadm_t gets allow rules to manipulate with SELinux). This module is enabled and active also in MLS SELinux policy!

Let’s demonstrate it on example. On MLS system, I’m logged in as root with following context:

# id -Z 
root:sysadm_r:sysadm_t:s0-s15:c0.c1023

With this SELinux context I can put SELinux to permissive mode.

# setenforce 0
# getenforce 
Permissive

But I want modify SELinux configutation only from special role secadm_r.

To increase security, there is simple command to disable sysadm_secadm:

# semodule -d sysadm_secadm -X 100

Now, If I reproduce the scenario, I cannot modify the SELinux configuration from sysadm_r:sysadm_t context.

# id -Z 
root:sysadm_r:sysadm_t:s0-s15:c0.c1023
# setenforce 0
setenforce: setenforce() failed
# getenforce 
Enforcing

Even Though, I’m logged in as root, with sysadm_r:sysadm_t SELinux context I cannot modify SELinux configuration! Now the correct way is to change role to secadm_r:

# id -Z 
root:sysadm_r:sysadm_t:s0-s15:c0.c1023
# newrole -r secadm_r
Password:
# id -Z 
root:secadm_r:secadm_t:s0-s15:c0.c1023
# setenforce 0
# getenforce
Permissive

So this is easy way how to distinguish sysadm and secadm roles. 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.