On 02/04/2010 05:49 AM, Dominick Grift wrote:
On 02/04/2010 11:22 AM, Leif Thuresson wrote:
Is there a "recommended" way to setup access for privileged admin tasks with sudo? In Dominick Grift's blog article http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-seven-su-newro... the user assigned the webadm_r role gets a sudo access with match "ALL" so in this example you trust SELinux solely to protect the system from unauthorized access. Is this way you would normally do it on a production machine? If you make the sudoers rules more specific for the actual commands the admin user need to run you will gain some initial lock-down from sudo, but at the expense of the sudoers file requiring significantly more maintenance. Administrators generally like scripting to automate task, but by allowing a sub-admin to run a shell with uid=0 we are again left with only SELinux to prevent unauthorized access. Is the general feeling that SELinux in say fedora12 is mature enough so that we can trust that it will protect the system from unauthorized access if we allow sub-administrators to run scripts as uid=0 ? I see that support for capabilities on files has finally found its way into fedora12. It that something that is being used to achieve some sort of middle ground between the two alternatives I listed above?
I believe in security layers. So if all you want to allow an admin to do is restart the web server then setup seliunux rules for webadm_r:webadm_t and only allow the script to be run by sudo. This way if either the script or SELinux has a bug, you might still be protected. If the super admin currently uses sudo apps then he should continue, but instead of allow the less priv admin to run apps as unconfined_t I would confine them.
If you can achieve your goal with tighter sudo configuration, than by all means use that.
With regard to your other questions. I will be interested what others opinions on this is.
/Leif
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux