Fedora

SELinux/MLSRoles

From FedoraProject

Contents 1 MLS Roles 1.1 user_r 1.2 staff_r 1.3 sysadm_r 1.4 secadm_r 1.5 auditadm_r 1.6 Security Applications

MLS Roles

user_r

Standard user role. The role is not allowed to run su or sudo. Should not be able to run sensitive applications or read sensitive data.

staff_r

This is role is virtually equivalent to user_r except that it can run su/sudo and users can transition from staff_t to more priveledged domains.

sysadm_r

This role should be allowed to run all administrative applications except for the audit applications and SELinux tools that can change the running policy.

secadm_r

This role is only allowed to run the SELinux tools and change the way that SELinux is enforcing rules.

auditadm_r

This role should only be able to change the auditing subsystem.

Security Applications

• avcstat - All 3 can use.
• audit2allow - all 3 can use. Except that sysadm_r can only read /var/log/messages. secadm_r and auditadm_r can read both if running at SystemHigh
• audit2why - This should only work for secadm since it requires the reading of the policy file. He must be running at SystemHigh to process audit.log
• chcat/chcon - all 3 can use, although only certain contexts should be changeable.
• sysadm_r should be able to change everything but SELinux files and audit files
• secadm_r should be able to change all files except audit files
• auditadm should only be able to change audit files
• checkmodule - all 3 can execute. This is a tool to build a policy package, so it should not be included. Really just a compiler
• checkpolicy - only secadm_r can execute, output of this tool is a policy file.
• fixfiles - This is a script that all three can execute, but will only be able to. Should all three roles be able to transition to restorecon and setfiles?
• genhomedircon -Only secadm_r should be able to succeffully run this, audit messages will be generated and it will die a horrible death.
• getsebool - all 3 can use.
• getenforce - all 3 can use.
• load_policy - only secadm_r can execute
• matchpathcon - all 3 can use.
• restorecon - only sysadm and secadm can use, auditadm can not use
• run_init - only sysadm can use
• currently getting execvp defined message after authentication
• selinuxenabled - all 3 can use.
• semanage - all 3 can execute
• sysadm_r Should be able to use in readonly mode
• secadm_r - Full functionaility
• auditadm_r - Should not be allowed to run, or read only mode
• semodule - only secadm_r can execute.
• semodule_expand - all 3 can execute.
• semodule_link - all 3 can execute.
• semodule_package - all 3 can execute.
• sestatus - all 3 can execute.
• setenforce - Only secadm_r can setenforce 0
• setfiles - only secadm_r can execute.
• setsebool - only secadm_r can actually set anything
• system-config-securitylevel - Only secadm_r can change anything, everyone else is read only.

• Tools from TreySys
• These tools are all governed by who can read the policy files or auditlogs.
• apol - all 3 can execute, requires GUI which I don't have installed.
• seaudit - all 3 can execute, requires GUI which I don't have installed.
• seaudit_report - all 3 can execute
• sechecker - all 3 can execute
• seinfo - all 3 can execute
• sesearch - all 3 can execute.

© 2009 Red Hat, Inc. and others. For comments or queries, please contact us.

The Fedora Project is maintained and driven by the community and sponsored by Red Hat. This is a community maintained site. Red Hat is not responsible for content.

• This page was last modified on 24 May 2008, at 16:32.
• This page has been accessed 4,537 times.
• Content is available under Attribution-Share Alike 3.0 Unported.

• Privacy policy
• About FedoraProject
• Disclaimers
• Sponsors
• Legal
• Trademark Guidelines