SELinux Policy Editor RBAC(Role Based Access Control) guide (for Ver 2.0))



Similar documents
Trusted RUBIX TM. Version 6. Installation and Quick Start Guide Red Hat Enterprise Linux 6 SELinux Platform. Revision 6

Role-Based Access Control (RBAC)

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

Managing Access Control in PresSTORE

User Management Guide

Content Management System

WHMCS LUXCLOUD MODULE

PRiSM Security. Configuration and considerations

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Getting Started With Your Virtual Dedicated Server. Getting Started Guide

Getting Started Guide. Getting Started With Your Dedicated Server. Setting up and hosting a domain on your Linux Dedicated Server using Plesk 8.0.

LAMP Quickstart for Red Hat Enterprise Linux 4

Active Directory Integration for Greentree

PaperStream Connect. Setup Guide. Version Copyright Fujitsu

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

HowTo. Planning table online

NAStorage. Administrator Guide. Security Policy Of NAStorage Under UNIX/LINUX Environment

Allion Ingrasys Europe. NAStorage. Security policy under a UNIX/LINUX environment. Version 2.01

Livezilla How to Install on Shared Hosting By: Jon Manning

Getting Started With Your Virtual Dedicated Server. Getting Started Guide

Here you can see an example of the command results:

Unit objectives IBM Power Systems

How To Synchronize the easystore to the AD

Lab 2: Secure Network Administration Principles - Log Analysis

What s New in Propalms VPN 3.5?

Using Network Attached Storage with Linux. by Andy Pepperdine

User Migration Tool. Note. Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0(1) 1

Parallels. for your Linux or Windows Server. Small Business Panel. Getting Started Guide. Parallels Small Business Panel // Linux & Windows Server

Scheduling in SAS 9.3

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Using Internet or Windows Explorer to Upload Your Site

Managing Linux Users and Groups

CYAN SECURE WEB HOWTO. NTLM Authentication

System Administration and Log Management

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Installing a Symantec Backup Exec Agent on a SnapScale Cluster X2 Node or SnapServer DX1 or DX2. Summary

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

SOA Software API Gateway Appliance 7.1.x Administration Guide

Command Line Interface Specification Linux Mac

Remote Unix Lab Environment (RULE)

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

Polar Help Desk Installation Guide

Backing Up and Restoring Data

Lab 8: Configuring Backups

Quality Center LDAP Guide

Using Red Hat Enterprise Linux with Georgia Tech's RHN Satellite Server Installing Red Hat Enterprise Linux

SYSTEM ADMINISTRATION LAB

IIS, FTP Server and Windows

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

API documentation - 1 -

Freshservice Discovery Probe User Guide

Confining the Apache Web Server with Security-Enhanced Linux

How to Configure IDMU on the Oracle ZFS Storage Appliance

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

Technote 20 Using MSIE to FTP into an AcquiSuite

Avaya CM Login with Windows Active Directory Services

WordPress Security Scan Configuration

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

Training module 2 Installing VMware View

Linux Crontab: 15 Awesome Cron Job Examples

Kaltura On-Prem Evaluation Package - Getting Started

User and Programmer Guide for the FI- STAR Monitoring Service SE

Nevepoint Access Manager 1.2 BETA Documentation

AVG Business SSO Connecting to Active Directory

Parallels Plesk Panel 11 for your Linux server

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

Configure Single Sign on Between Domino and WPS

Setup Local Mail Server Using Postfix, Dovecot And Squirrelmail On CentOS 6.5/6.4

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

UM8000 Voic System Administration Guide

File Transfer Examples. Running commands on other computers and transferring files between computers

Host your websites. The process to host a single website is different from having multiple sites.

Video Administration Backup and Restore Procedures

Configuring User Identification via Active Directory

INUVIKA OVD INSTALLING INUVIKA OVD ON RHEL 6

Simple. Control Panel. for your Linux Server. Getting Started Guide. Simple Control Panel // Linux Server

How to configure the TopCloudXL WHMCS plugin (version 2+) Update: Version: 2.2

How to Get Set Up for the 2014 BE-180 and Request an Extension if Needed

Instructions for Accessing the Advanced Computing Facility Supercomputing Cluster at the University of Kansas

System Administrator Training Guide. Reliance Communications, Inc. 603 Mission Street Santa Cruz, CA

WebSphere Application Server security auditing

Kollaborate Server Installation Guide!! 1. Kollaborate Server! Installation Guide!

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Content Management System

First Steps after Installation Guide

Partek Flow Installation Guide

Reseller Panel Step-by-Step Guide

Getting Started with Tableau Server 6.1

SFTP Server User Login Instructions. Open Internet explorer and enter the following url:

Configuring Avaya Aura Communication Manager and Avaya Call Management System Release 16.3 with Avaya Contact Center Control Manager Issue 1.

Using LDAP for User Authentication

Installing an IBM Workplace/Portal Server on Linux

Welcome to Collage (Draft v0.1)

If you examine a typical data exchange on the command connection between an FTP client and server, it would probably look something like this:

SOS SO S O n O lin n e lin e Bac Ba kup cku ck p u USER MANUAL

Shellshock Security Patch for X86

Kerio Connect. Kerio 4D Migration. Kerio Technologies

CommandCenter Secure Gateway

Author A.Kishore/Sachin VNC Background

Transcription:

SELinux Policy Editor RBAC(Role Based Access Control) guide (for Ver 2.0)) Yuichi Nakamura July 3, 2006 Contents 1 What is RBAC 2 1.1 Overview............................... 2 1.2 How RBAC works in SELinux.................... 2 2 Enable RBAC 2 3 Default RBAC Configuration 3 4 Login by RBAC 3 4.1 Check role............................... 3 4.2 Change role.............................. 4 5 Configuration elements for RBAC 4 5.1 role and user statements....................... 5 5.1.1 Example............................ 5 5.1.2 user u user name....................... 5 5.2 Home directories........................... 6 5.3 Allow user to use sysadm r role................... 6 6 Creating new role 7 6.1 Create uid=0 user.......................... 7 6.2 Create template............................ 7 6.3 Write to file.............................. 8 6.4 Add permissions for administration................ 8 6.5 Load and test............................. 8 himainu-ynakam@miomio.jp 1

This document describes how to use RBAC(Role Based Access Control) in seedit. 1 What is RBAC 1.1 Overview SPDL supports configuration of RBAC(Role Based Access Control). In default policy, the domain for login user is unconfined t. So, the behavior of user is not confined by SELinux. To increase security of login user, RBAC is useful. By using RBAC, you can restrict behavior of users by assigning role to user. For example, you can assign role webmaster r to user webmaster, and give him rights to do web master work. 1.2 How RBAC works in SELinux How RBAC works is composed of 2 parts, one is assign role to user, second is assign domain to user shell. (1) Assign role When user logs in from login programs(login, sshd, gdm), login programs assign role to users. The rule that describes what kind of roles the user is allowed to use, is described in policy. Login programs assign roles referring to policy.for example, if user webmaster is allowed to use webmaster r role, login program assign webmaster r to user webmaster. (2) Assign domain Role is only strings, to confine behavior of user, domain must be given to user shell. When user shell is launched domain is given according to role. For example, when user webmaster login as webmaster r role, webmaster t domain is given to user shell. webmaster t domain is configured to be allowed homepage admin works. 2 Enable RBAC To enable RBAC, use following command. # seedit-rbac on (It takes some minutes) # reboot By above commands, files necessary to configure RBAC is moved from /etc/seedit/policy/extra to /etc/seedit/policy, and seedit-load is run.reboot is necessary because some domains become invalid, to fix this you have to reboot. 2

To disable RBAC, use following. # seedit-rbac off # reboot 3 Default RBAC Configuration Following 3 roles are defined by default. sysadm r It is role for administrator. It can work as unconfined domain sysadm t. By default, only root can login as the role. staff r It is role, to do not administrative work for administrative user. By default, only root can login as the role. user r It is a role for normal users. By default, user u can login as root. user u is a user that is not configured RBAC, by default users except root. Attention (1) su command can not be used, except sysadm r (2) Only user who can use sysadm r can login from gdm. You need to add a lots of configurations to login from other roles, and it may decrease security. By default only root user can login from X. If other users want to login from X, you have to allow to use sysadm r, but be careful, because behavior of such users are not confined by SELinux. (3) Configure to use sysadm r Usually, you will not login root user directly. You will use su, you have to allow some user to use sysadm r. For example to allow user ynakam to use sysadm r, add following after user root; in /etc/seedit/policy/sysadm r.sp. user ynakam; 4 Login by RBAC 4.1 Check role When you enable RBAC, role are given to login user. You can see it by id command. 3

When you login as root user, staff r role is given. root is allowed to use staff r and sysadm r, but login program give staff r role. Let s see it by id command. # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon), 3(sys),4(adm),6(disk),10(wheel) context=root:staff_r:staff_t context=root:staff_r:staff_t shows role, staff r is role. User shell is given domain according to role, in this case staff t. Inside SELinux, domain is used for access control. staff r is given little access rights. You can not do any administration work in this role. For example, you can not access homepage. # cat /var/www/html/index.html Permission denied 4.2 Change role To do administrative work, you have to switch role to sysadm r role. You can do it by newrole command, like below. # newrole -r sysadm_r Authenticating root Password: You have to enter password of current user(this case root). Then check role by id command. # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon), 3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t Role is sysadm r. Domain of user shell is sysadm t. sysadm t is unconfined domain, so you can do any work. To switch role, the user must be allowed to use the role, if the user is not allowed to use the role, newrole will fail. To allow user to use role, see next section. 5 Configuration elements for RBAC To configure RBAC, it is better to understand how to describe. 4

5.1 role and user statements To configure RBAC, there are 2 SPDL configuration elements, role and user. role name of role This means configurations is going to be done for specified role. Access right is given to corresponding domain. And the configuration filename must be role name.sp. user user name This allows user to use role. user u user name is special, it is the default role of users that is not configured to use domain.how to allow to use sysadm r, see section 5.3. 5.1.1 Example Let s see example. 1: 2:role webmaster_r; 3:user webmaster; 4:allow /var/www/** r,w,s; Line 2 means, configurations between is for webmaster r role. Line 3 means, user name webmaster can use webmaster r role. Following, access rights are given to domain webmaster t domain(remember that webmaster r role behaves as webmaster t domain in SELinux system). Line 4 means, webmaster t domain(this equals user that logined as webmaster r role)is allowed to read, write under /var/www. 5.1.2 user u user name Let s see example of user u user name. Assume all configurations for RBAC are following. * In sysadm_r.sp role sysadm_r; user root;.. * In webmaster_r.sp role webmaster_r; user webmaster 5

.. * In user_r.sp role user_r; user user_u;.. In above, 3 roles are configured. You can see, user root and webmaster are assigned role. In this case user u is all users except root and webmaster. 5.2 Home directories To configure access control to home directories, we could use /. In normal domain, it means all users home directories. But, for configuration of role, the meaning is different. The rule is simple: ~/ means home directories for users that can use role Let s see example. 1:role webmaster_r; 2:user web1; 3:user web2; 4:allow ~/** r,w,s; In this case, line 4 is allow to write home directories for user1 and user2. So, when user web1/web2 login as webmaster r role, they can read write their home directories, but can not access other users home directories. 1:role user_r; 2:user user_u; 3:allow ~/** r,w,s; user u is supported, too. Line 3 means home directories for user u users. 5.3 Allow user to use sysadm r role You can easily allow to use sysadm r. Open /etc/seedit/policy/sysadm r.sp(configuration file for sysadm r role). add following, after user root; user <username you want to allow to use sysadm_r>; and seedit-load. 6

6 Creating new role The best way to understand RBAC is to create new role. Let s see it by example. Here, we will create new role for webmaster, the name is webmaster r. And assign the role to user whose name is webmaster. 6.1 Create uid=0 user The uid for user that does some administration work, must be 0. It is to pass Linux permission check. Following commands create user webmaster as uid=0. # useradd -u 0 -o webmaster # passwd webmaster 6.2 Create template You can create template configuration by seedit-template command. The usage is following. seedit-template -r <role> -u <user> -o <output directory> If you specify -o option, configuration is written to file, before writing to file, run command without -o option to make sure. Following is example of generating configuration for webmaster r role. # seedit-template -r webmaster_r -u webmaster role webmaster_r; user webmaster; include user_common.sp; include common-relaxed.sp; allow ~/** r,w,s; allowpriv part_relabel; allowpriv dac_override; allowpriv dac_read_search; Template configuration is generated. user webmaster can use webmaster r role. By include common configurations to behave as login user is imported, system critical access rights are not allowed here. And webmaster t is allowed to access user webmaster s home directory(when user webmaster login as webmaster r he can access his home directory). 3 allowpriv are outputted, this is usually needed to do administration work. allowpriv part_relabel; 7

This is necessary to use restorecon. You can use restorecon to files those webmaster r is writable. If you do not use restorecon, delete this. allowpriv dac_override; allowpriv dac_read_search; Those are necessary to skip Linux permission check. 6.3 Write to file You can write above configuration by -o option of seedit-template. # seedit-template -r webmaster_r -u webmaster -o /etc/seedit/policy/ Configuration is written to /etc/seedit/policy/webmaster r.sp 6.4 Add permissions for administration Then, add permissions to administrate web page. You need write permission under /var/www. So, add allow /var/www/** r,w,s; before. 6.5 Load and test Let s load configuration by seedit-load. #seedit-load And test to login. Login as webmaster. Let s see role. #id uid=0(root) gid=502(webmaster) groups=502(webmaster) context=webmaster:webmaster_r:webmaster_t Now you are webmaster! You can upload file to /var/www/html from your home directory. If you find something is denied and it is necessary, test in permissive mode, and add configuration to /etc/seedit/policy/webmaster r.sp using audit2spdl like normal domain. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information