[redhat-lspp] RBAC Roles

Karl MacMillan kmacmillan at tresys.com
Tue Sep 20 12:29:34 UTC 2005 

> -----Original Message-----
> From: redhat-lspp-bounces at redhat.com [mailto:redhat-lspp-
> bounces at redhat.com] On Behalf Of Stephen Smalley
> Sent: Tuesday, September 20, 2005 7:48 AM
> To: Steve Grubb
> Cc: lspp-list
> Subject: Re: [redhat-lspp] RBAC Roles
> 
> On Mon, 2005-09-19 at 16:30 -0400, Steve Grubb wrote:

<snip>

> > RBAC also calls out the ability to let users see all the roles they are
> > authorized for. Does this currently exist?
> 
> I don't think we have a specific utility for this purpose presently,
> although the Tresys setools may allow you to get the same information.
> It wouldn't be hard to create such a utility, but note that it will need
> to change for the ongoing work to create a separate Linux user ->
> {SELinux user, authorized range} mapping that will be used to avoid
> having to modify the kernel policy when adding/removing/changing Linux
> users.
> 

[kmacmillan at localhost ~]$ seinfo --users=root -x
   root
      system_r
      user_r
      sysadm_r

You must provide a username that policy understands, as Steve mentions. It
wouldn't be hard to make it understand Linux usernames as well. Note that
you must be able to read the policy in order to run this utility (I'm
running this under targeted above).

Karl

------
Karl MacMillan
Tresys Technology
http://www.tresys.com

> > RBAC also requires that you can place audits based on a role. Would we
> expect
> > to be able to use just secadm_r to make an audit rule or would we need
> to
> > specify the whole context string?
> 
> SELinux policy allows you to enable auditing (for the MAC checks) based
> on the type (domain), so you can e.g. audit all operations by secadm_t.
> Allowing the syscall audit filters to be enabled based on parts of the
> security context would likely be helpful, but requires that the audit
> subsystem invoke the security module (via new LSM hooks) to check the
> filter since the audit subsystem doesn't directly have access to the
> security context.
> 
> --
> Stephen Smalley
> National Security Agency
> 
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp

More information about the redhat-lspp mailing list