https://fedoraproject.org/w/index.php?title=SELinux/MLSRoles&feed=atom&action=historySELinux/MLSRoles - Revision history2024-03-19T13:24:46ZRevision history for this page on the wikiMediaWiki 1.39.4https://fedoraproject.org/w/index.php?title=SELinux/MLSRoles&diff=420190&oldid=prevAgajan: added category SELinux2015-08-15T18:17:36Z<p>added category SELinux</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 18:17, 15 August 2015</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l60">Line 60:</td>
<td colspan="2" class="diff-lineno">Line 60:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* seinfo - all 3 can execute</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* seinfo - all 3 can execute</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* sesearch - all 3 can execute.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* sesearch - all 3 can execute.</div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Category:SELinux]]</ins></div></td></tr>
<!-- diff cache key fpo?hmediawiki-en_:diff::1.12:old-11273:rev-420190 -->
</table>Agajanhttps://fedoraproject.org/w/index.php?title=SELinux/MLSRoles&diff=11273&oldid=prevRavidiip: 1 revision(s)2008-05-24T16:32:00Z<p>1 revision(s)</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<tr class="diff-title" lang="en">
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:32, 24 May 2008</td>
</tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>Ravidiiphttps://fedoraproject.org/w/index.php?title=SELinux/MLSRoles&diff=11272&oldid=prevfp-wiki>ImportUser: Imported from MoinMoin2008-05-24T14:13:02Z<p>Imported from MoinMoin</p>
<p><b>New page</b></p><div>= MLS Roles =<br />
<br />
== user_r ==<br />
Standard user role. The role is not allowed to run su or sudo. Should not be able to run sensitive applications or<br />
read sensitive data.<br />
== staff_r ==<br />
This is role is virtually equivalent to user_r except that it can run su/sudo and users can transition from staff_t to<br />
more priveledged domains.<br />
<br />
== sysadm_r ==<br />
This role should be allowed to run all administrative applications except for the audit applications and SELinux tools<br />
that can change the running policy.<br />
<br />
== secadm_r ==<br />
This role is only allowed to run the SELinux tools and change the way that SELinux is enforcing rules.<br />
<br />
== auditadm_r ==<br />
This role should only be able to change the auditing subsystem.<br />
<br />
== Security Applications ==<br />
* avcstat - All 3 can use.<br />
* audit2allow - all 3 can use. Except that sysadm_r can only read /var/log/messages. secadm_r and auditadm_r can read both if running at SystemHigh<br />
* audit2why - This should only work for secadm since it requires the reading of the policy file. He must be running at SystemHigh to process audit.log<br />
* chcat/chcon - all 3 can use, although only certain contexts should be changeable.<br />
* sysadm_r should be able to change everything but SELinux files and audit files<br />
* secadm_r should be able to change all files except audit files<br />
* auditadm should only be able to change audit files<br />
* checkmodule - all 3 can execute. This is a tool to build a policy package, so it should not be included. Really just a compiler<br />
* checkpolicy - only secadm_r can execute, output of this tool is a policy file.<br />
* fixfiles - This is a script that all three can execute, but will only be able to. Should all three roles be able to transition to restorecon and setfiles?<br />
* genhomedircon -Only secadm_r should be able to succeffully run this, audit messages will be generated and it will die a horrible death.<br />
* getsebool - all 3 can use.<br />
* getenforce - all 3 can use.<br />
* load_policy - only secadm_r can execute<br />
* matchpathcon - all 3 can use.<br />
* restorecon - only sysadm and secadm can use, auditadm can not use<br />
* run_init - only sysadm can use<br />
* currently getting execvp defined message after authentication<br />
* selinuxenabled - all 3 can use.<br />
* semanage - all 3 can execute<br />
* sysadm_r Should be able to use in readonly mode<br />
* secadm_r - Full functionaility<br />
* auditadm_r - Should not be allowed to run, or read only mode<br />
* semodule - only secadm_r can execute.<br />
* semodule_expand - all 3 can execute.<br />
* semodule_link - all 3 can execute.<br />
* semodule_package - all 3 can execute.<br />
* sestatus - all 3 can execute.<br />
* setenforce - Only secadm_r can setenforce 0<br />
* setfiles - only secadm_r can execute.<br />
* setsebool - only secadm_r can actually set anything<br />
* system-config-securitylevel - Only secadm_r can change anything, everyone else is read only.<br />
<br />
* Tools from TreySys<br />
* These tools are all governed by who can read the policy files or auditlogs.<br />
* apol - all 3 can execute, requires GUI which I don't have installed.<br />
* seaudit - all 3 can execute, requires GUI which I don't have installed.<br />
* seaudit_report - all 3 can execute<br />
* sechecker - all 3 can execute<br />
* seinfo - all 3 can execute<br />
* sesearch - all 3 can execute.</div>fp-wiki>ImportUser