6.8. Separating system administration from security administration in MLS

Procedure

1. Create a new sudoers file in the /etc/sudoers.d directory for the user:

   # visudo -f /etc/sudoers.d/<sec_adm_user>

   To keep the sudoers files organized, replace <sec_adm_user> with the Linux user which will be assigned to the secadm role.

2. Add the following content into the /etc/sudoers.d/<sec_adm_user> file:

   <sec_adm_user> ALL=(ALL) TYPE=secadm_t ROLE=secadm_r ALL

   This line authorizes <sec_adm_user> on all hosts to perform all commands, and maps the user to the secadm SELinux type and role by default.

3. Log in as the <sec_adm_user> user.

   To make sure that the SELinux context (which consists of SELinux user, role, and type) is changed, log in using ssh, the console, or xdm. Other ways, such as su and sudo, cannot change the entire SELinux context.

4. Verify the user’s security context:

   $ id
   uid=1000(<sec_adm_user>) gid=1000(<sec_adm_user>) groups=1000(<sec_adm_user>) context=staff_u:staff_r:staff_t:s0-s15:c0.c1023

5. Run the interactive shell for the root user:

   $ sudo -i
   [sudo] password for <sec_adm_user>:

6. Verify the current user’s security context:

   # id
   uid=0(root) gid=0(root) groups=0(root) context=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023

7. Disable the sysadm_secadm module from the policy:

   # semodule -d sysadm_secadm

   重要

   Use the semodule -d command instead of removing the system policy module by using the semodule -r command. The semodule -r command deletes the module from your system’s storage, which means it cannot be loaded again without reinstalling the selinux-policy-mls package.

Verification

1. As the user assigned to the secadm role, and in the interactive shell for the root user, verify that you can access the security policy data:

   # seinfo -xt secadm_t
   
   Types: 1
      type secadm_t, can_relabelto_shadow_passwords, (…) userdomain;

2. Log out from the root shell:

   # logout

3. Log out from the <sec_adm_user> user:

   $ logout
   Connection to localhost closed.

4. Display the current security context:

   # id
   uid=0(root) gid=0(root) groups=0(root) context=root:sysadm_r:sysadm_t:s0-s15:c0.c1023

5. Attempt to enable the sysadm_secadm module. The command should fail:

   # semodule -e sysadm_secadm
   SELinux:  Could not load policy file /etc/selinux/mls/policy/policy.31:  Permission denied
   /sbin/load_policy:  Can't load policy:  Permission denied
   libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
   SELinux:  Could not load policy file /etc/selinux/mls/policy/policy.31:  Permission denied
   /sbin/load_policy:  Can't load policy:  Permission denied
   libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
   semodule:  Failed!

6. Attempt to display the details about the sysadm_t SELinux type. The command should fail:

   # seinfo -xt sysadm_t
   [Errno 13] Permission denied: '/sys/fs/selinux/policy'