Today, I would like to focus on more advance feature in SELinux technology which are confined users. I wrote several posts where I described how confined users could mitigate CVEs on your system and provide strict control of Linux users. Maybe in future, I could cover how to configure SELinux to confine your Linux users, but for now, more information you can find on https://danwalsh.livejournal.com/ .
Several people in selinux-policy bugzillas trying to solve issue to distinguish sysadm_r and secadm_r roles in SELinux.
From documentation, secadm_r is defined as “secadm_r can only administrate SELinux”. I like idea that *only* “secadm_r:secadm_t” can administrate SELinux, it can reduce attack vectors to modify/disable SELinux on the system.
In current situation also sysadm_r could administrate SELinux by default. There is a possibility to disable/remove sysadm_secadm.pp SELinux module (in this module sysadm_t gets allow rules to manipulate with SELinux). This module is enabled and active also in MLS SELinux policy!
Let’s demonstrate it on example. On MLS system, I’m logged in as root with following context:
# id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023
With this SELinux context I can put SELinux to permissive mode.
# setenforce 0 # getenforce Permissive
But I want modify SELinux configutation only from special role secadm_r.
To increase security, there is simple command to disable sysadm_secadm:
# semodule -d sysadm_secadm -X 100
Now, If I reproduce the scenario, I cannot modify the SELinux configuration from sysadm_r:sysadm_t context.
# id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023 # setenforce 0 setenforce: setenforce() failed # getenforce Enforcing
Even Though, I’m logged in as root, with sysadm_r:sysadm_t SELinux context I cannot modify SELinux configuration! Now the correct way is to change role to secadm_r:
# id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023 # newrole -r secadm_r Password: # id -Z root:secadm_r:secadm_t:s0-s15:c0.c1023 # setenforce 0 # getenforce Permissive
So this is easy way how to distinguish sysadm and secadm roles. 😉