From Fedora Project Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

MLS Roles

user_r

Standard user role. The role is not allowed to run su or sudo. Should not be able to run sensitive applications or read sensitive data.

staff_r

This is role is virtually equivalent to user_r except that it can run su/sudo and users can transition from staff_t to more priveledged domains.

sysadm_r

This role should be allowed to run all administrative applications except for the audit applications and SELinux tools that can change the running policy.

secadm_r

This role is only allowed to run the SELinux tools and change the way that SELinux is enforcing rules.

auditadm_r

This role should only be able to change the auditing subsystem.

Security Applications

  • avcstat - All 3 can use.
  • audit2allow - all 3 can use. Except that sysadm_r can only read /var/log/messages. secadm_r and auditadm_r can read both if running at SystemHigh
  • audit2why - This should only work for secadm since it requires the reading of the policy file. He must be running at SystemHigh to process audit.log
  • chcat/chcon - all 3 can use, although only certain contexts should be changeable.
  • sysadm_r should be able to change everything but SELinux files and audit files
  • secadm_r should be able to change all files except audit files
  • auditadm should only be able to change audit files
  • checkmodule - all 3 can execute. This is a tool to build a policy package, so it should not be included. Really just a compiler
  • checkpolicy - only secadm_r can execute, output of this tool is a policy file.
  • fixfiles - This is a script that all three can execute, but will only be able to. Should all three roles be able to transition to restorecon and setfiles?
  • genhomedircon -Only secadm_r should be able to succeffully run this, audit messages will be generated and it will die a horrible death.
  • getsebool - all 3 can use.
  • getenforce - all 3 can use.
  • load_policy - only secadm_r can execute
  • matchpathcon - all 3 can use.
  • restorecon - only sysadm and secadm can use, auditadm can not use
  • run_init - only sysadm can use
  • currently getting execvp defined message after authentication
  • selinuxenabled - all 3 can use.
  • semanage - all 3 can execute
  • sysadm_r Should be able to use in readonly mode
  • secadm_r - Full functionaility
  • auditadm_r - Should not be allowed to run, or read only mode
  • semodule - only secadm_r can execute.
  • semodule_expand - all 3 can execute.
  • semodule_link - all 3 can execute.
  • semodule_package - all 3 can execute.
  • sestatus - all 3 can execute.
  • setenforce - Only secadm_r can setenforce 0
  • setfiles - only secadm_r can execute.
  • setsebool - only secadm_r can actually set anything
  • system-config-securitylevel - Only secadm_r can change anything, everyone else is read only.
  • Tools from TreySys
  • These tools are all governed by who can read the policy files or auditlogs.
  • apol - all 3 can execute, requires GUI which I don't have installed.
  • seaudit - all 3 can execute, requires GUI which I don't have installed.
  • seaudit_report - all 3 can execute
  • sechecker - all 3 can execute
  • seinfo - all 3 can execute
  • sesearch - all 3 can execute.
Retrieved from "https://fedoraproject.org/w/index.php?title=SELinux/MLSRoles&oldid=420190"