SELinux/MLSRoles

= MLS Roles =

user_r
Standard user role. The role is not allowed to run su or sudo. Should not be able to run sensitive applications or read sensitive data.

staff_r
This is role is virtually equivalent to user_r except that it can run su/sudo and users can transition from staff_t to more priveledged domains.

sysadm_r
This role should be allowed to run all administrative applications except for the audit applications and SELinux tools that can change the running policy.

secadm_r
This role is only allowed to run the SELinux tools and change the way that SELinux is enforcing rules.

auditadm_r
This role should only be able to change the auditing subsystem.

Security Applications

 * avcstat - All 3 can use.
 * audit2allow - all 3 can use. Except that sysadm_r can only read /var/log/messages.  secadm_r and auditadm_r can read both if running at SystemHigh
 * audit2why - This should only work for secadm since it requires the reading of the policy file. He must be running at SystemHigh to process audit.log
 * chcat/chcon - all 3 can use, although only certain contexts should be changeable.
 * sysadm_r should be able to change everything but SELinux files and audit files
 * secadm_r should be able to change all files except audit files
 * auditadm should only be able to change audit files
 * checkmodule - all 3 can execute. This is a tool to build a policy package,  so it should not be included.  Really just a compiler
 * checkpolicy - only secadm_r can execute, output of this tool is a policy file.
 * fixfiles - This is a script that all three can execute, but will only be able to. Should all three roles be able to transition to restorecon and setfiles?
 * genhomedircon -Only secadm_r should be able to succeffully run this, audit messages will be generated and it will die a horrible death.
 * getsebool - all 3 can use.
 * getenforce - all 3 can use.
 * load_policy - only secadm_r can execute
 * matchpathcon - all 3 can use.
 * restorecon - only sysadm and secadm can use, auditadm can not use
 * run_init - only sysadm can use
 * currently getting execvp defined message after authentication
 * selinuxenabled - all 3 can use.
 * semanage - all 3 can execute
 * sysadm_r Should be able to use in readonly mode
 * secadm_r - Full functionaility
 * auditadm_r - Should not be allowed to run, or read only mode
 * semodule - only secadm_r can execute.
 * semodule_expand - all 3 can execute.
 * semodule_link - all 3 can execute.
 * semodule_package - all 3 can execute.
 * sestatus - all 3 can execute.
 * setenforce - Only secadm_r can setenforce 0
 * setfiles - only secadm_r can execute.
 * setsebool - only secadm_r can actually set anything
 * system-config-securitylevel - Only secadm_r can change anything, everyone else is read only.


 * Tools from TreySys
 * These tools are all governed by who can read the policy files or auditlogs.
 * apol - all 3 can execute, requires GUI which I don't have installed.
 * seaudit - all 3 can execute, requires GUI which I don't have installed.
 * seaudit_report - all 3 can execute
 * sechecker - all 3 can execute
 * seinfo - all 3 can execute
 * sesearch - all 3 can execute.