m (1 revision(s)) |
(added category SELinux) |
||
Line 60: | Line 60: | ||
* seinfo - all 3 can execute | * seinfo - all 3 can execute | ||
* sesearch - all 3 can execute. | * sesearch - all 3 can execute. | ||
[[Category:SELinux]] |
Latest revision as of 18:17, 15 August 2015
MLS Roles
user_r
Standard user role. The role is not allowed to run su or sudo. Should not be able to run sensitive applications or read sensitive data.
staff_r
This is role is virtually equivalent to user_r except that it can run su/sudo and users can transition from staff_t to more priveledged domains.
sysadm_r
This role should be allowed to run all administrative applications except for the audit applications and SELinux tools that can change the running policy.
secadm_r
This role is only allowed to run the SELinux tools and change the way that SELinux is enforcing rules.
auditadm_r
This role should only be able to change the auditing subsystem.
Security Applications
- avcstat - All 3 can use.
- audit2allow - all 3 can use. Except that sysadm_r can only read /var/log/messages. secadm_r and auditadm_r can read both if running at SystemHigh
- audit2why - This should only work for secadm since it requires the reading of the policy file. He must be running at SystemHigh to process audit.log
- chcat/chcon - all 3 can use, although only certain contexts should be changeable.
- sysadm_r should be able to change everything but SELinux files and audit files
- secadm_r should be able to change all files except audit files
- auditadm should only be able to change audit files
- checkmodule - all 3 can execute. This is a tool to build a policy package, so it should not be included. Really just a compiler
- checkpolicy - only secadm_r can execute, output of this tool is a policy file.
- fixfiles - This is a script that all three can execute, but will only be able to. Should all three roles be able to transition to restorecon and setfiles?
- genhomedircon -Only secadm_r should be able to succeffully run this, audit messages will be generated and it will die a horrible death.
- getsebool - all 3 can use.
- getenforce - all 3 can use.
- load_policy - only secadm_r can execute
- matchpathcon - all 3 can use.
- restorecon - only sysadm and secadm can use, auditadm can not use
- run_init - only sysadm can use
- currently getting execvp defined message after authentication
- selinuxenabled - all 3 can use.
- semanage - all 3 can execute
- sysadm_r Should be able to use in readonly mode
- secadm_r - Full functionaility
- auditadm_r - Should not be allowed to run, or read only mode
- semodule - only secadm_r can execute.
- semodule_expand - all 3 can execute.
- semodule_link - all 3 can execute.
- semodule_package - all 3 can execute.
- sestatus - all 3 can execute.
- setenforce - Only secadm_r can setenforce 0
- setfiles - only secadm_r can execute.
- setsebool - only secadm_r can actually set anything
- system-config-securitylevel - Only secadm_r can change anything, everyone else is read only.
- Tools from TreySys
- These tools are all governed by who can read the policy files or auditlogs.
- apol - all 3 can execute, requires GUI which I don't have installed.
- seaudit - all 3 can execute, requires GUI which I don't have installed.
- seaudit_report - all 3 can execute
- sechecker - all 3 can execute
- seinfo - all 3 can execute
- sesearch - all 3 can execute.