RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 692296 - MLS policy roles are more separate than with RHEL5
Summary: MLS policy roles are more separate than with RHEL5
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Karel Srot
URL:
Whiteboard:
Depends On:
Blocks: RHEL62CCC 846801 846802
TreeView+ depends on / blocked
 
Reported: 2011-03-31 00:11 UTC by Linda Knippers
Modified: 2018-11-28 21:17 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.7.19-84.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 12:27:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0526 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-05-19 09:37:41 UTC

Description Linda Knippers 2011-03-31 00:11:00 UTC 
Description of problem:

With the MLS policy on RHEL5, the sysadm_r role could do everything that the 
secadm_r and auditadm_r roles could do.  This was done because having strict separation between sysadm and the other roles made it difficult to do things 
like add users.  Also, the separation between sysadm and secadm seemed rather
arbitrary (sysadm can change the TE part of a security context but not the
mls level) so before RHEL5 shipped, sysadm was given all the secadm and auditadm
privileges.

With the new policy in RHEL6, the strict separation is back, which means
that the previous problems are back.  Can we put the role definitions
back like they were for RHEL5?

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
For more information, see this mail thread:
https://www.redhat.com/mailman/private/rhel6-cc-external-list/2011-March/msg00158.html
Comment 2 Daniel Walsh 2011-03-31 14:11:12 UTC 
Linda could you try to install this policy and see if it solves your problem.

policy_module(mysysadm, 1.0)
gen_require(`
type sysadm_t;
role sysadm_r;
')
userdom_security_admin_template(sysadm_t, sysadm_r)
Comment 3 Daniel Walsh 2011-03-31 14:12:40 UTC 
Miroslav we could add this and wrap it with the same boolean that we had in RHEL5.
Comment 5 Linda Knippers 2011-04-04 21:35:43 UTC 
Dan, sorry it took me so long to get back to you. 

Some simple testing indicates that the policy module in #2 gives sysadm_r the permissions for secadm_r but we still can't do auditadm_r operations, so its still not quite like RHEL5.
Comment 6 Miroslav Grepl 2011-04-05 11:06:09 UTC 
Linda,
try this local policy

policy_module(mysysadm, 1.0)
gen_require(`
type sysadm_t;
role sysadm_r;
')

userdom_security_admin_template(sysadm_t, sysadm_r)

logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
logging_run_auditd(sysadm_t, sysadm_r)
logging_stream_connect_syslog(sysadm_t)
Comment 7 Miroslav Grepl 2011-04-06 07:53:51 UTC 
This is allowed by default in RHEL5. There is no boolean since these rules can not be applied using a boolean.

I am closing this bug as WONTFIX. We do not want to make this default for MLS policy in RHEL6.
Comment 8 Linda Knippers 2011-04-06 16:32:26 UTC 
If you don't want to make it the default (not sure why since it was the default for RHEL5) then how about an option policy module that can be applied?

I don't know who your users are but if anyone is actually using the RHEL5 MLS policy, this change in behavior will likely break them.

I'd like to have a little more discussion before closing this bug.
Comment 9 Linda Knippers 2011-04-06 16:35:04 UTC 
BTW, I tried the policy from comment #6 and it worked for me in the little bit of testing I've done with it.
Comment 10 Miroslav Grepl 2011-04-07 09:17:27 UTC 
The problem is the most of rules which are needed

        logging_run_auditctl(sysadm_t, sysadm_r)
        logging_run_auditd(sysadm_t, sysadm_r)

        selinux_set_enforce_mode(sysadm_t)
        selinux_set_all_booleans(sysadm_t)
        selinux_set_parameters(sysadm_t)
  
        seutil_run_checkpolicy(sysadm_t,sysadm_r)
        seutil_run_loadpolicy(sysadm_t,sysadm_r)
        seutil_run_semanage(sysadm_t,sysadm_r)
        seutil_run_setsebool(sysadm_t,sysadm_r)


can not be used with "tunable_policy" declaration. Other methods of declaration allow it by default.

I believe we should keep the seperation between these roles in RHEL6 (sysadm_r, secadm_r, auditadm_r). And the newrole command should be used for switching between roles.

But, you are right,  let's discuss it more.

Dan
what is your opinion.
Comment 11 Daniel Walsh 2011-04-07 13:55:46 UTC 
I dissagree, just allow sysadm_t to do the access.  If we decide we want a weaker admin role we can add that.  But lets make this default to being able to do everything an admin can do.
Comment 12 Eduard Benes 2011-04-07 14:57:03 UTC 
(In reply to comment #11)
> I dissagree, just allow sysadm_t to do the access.  If we decide we want a
> weaker admin role we can add that.  But lets make this default to being able to
> do everything an admin can do.

Does it mean all abilities of secadm_r, auditadm_r will be merged into sysadm_r?
I believe the strict separation is good to have with confined users feature, though it makes testing really painful. And, as I was told several times before, MLS isn't supposed to be user friendly :)
Comment 13 Linda Knippers 2011-04-07 15:08:59 UTC 
I'm more concerned about the change in behavior from RHEL5, not its user friendliness.  If RHEL5 customers use the mls policy, the RHEL6 policy may break them.
Comment 14 Daniel Walsh 2011-04-07 15:36:50 UTC 
You still have the user separation, and you still have auditadm_r and secadm_t.  It is just that sysadm_t has everything that auditadm_t and secadm_t can do.
Which is what the goal was in RHEL5.  If you want separation between a admin and secadm_t, you can fairly easily create myadm_t.  Writing policy for confined users/admins in RHEL6 is vastly easier (not easy) then in RHEL5.

I also think this is justified to not break the RHEL5 mode without a decent justification.
Comment 15 Miroslav Grepl 2011-04-08 05:36:20 UTC 
Ok, then I will make default the following

ifndef(`enable_mls',`
    userdom_security_admin_template(sysadm_t, sysadm_r)
')

ifndef(`enable_mls',`
    logging_manage_audit_log(sysadm_t)
    logging_manage_audit_config(sysadm_t)
    logging_run_auditctl(sysadm_t, sysadm_r)
    logging_stream_connect_syslog(sysadm_t)
')
Comment 16 Daniel Walsh 2011-04-08 18:27:15 UTC 
No I think we want that for MLS policy.
Comment 17 Miroslav Grepl 2011-04-08 19:34:40 UTC 
Yes, I mean these rules will be default without "ifndef(`enable_mls',`".
Comment 18 Miroslav Grepl 2011-04-11 10:14:06 UTC 
Fixed in selinux-policy-3.7.19-84.el6
Comment 21 errata-xmlrpc 2011-05-19 12:27:07 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html
Note You need to log in before you can comment on or make changes to this bug.