Line 80: | Line 80: | ||
* See [[Talk:Features/SELinuxSystemdAccessControl]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --> | * See [[Talk:Features/SELinuxSystemdAccessControl]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --> | ||
[[Category: | [[Category:FeatureReadyForWrangler]] | ||
<!-- When your feature page is completed and ready for review --> | <!-- When your feature page is completed and ready for review --> | ||
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | <!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | ||
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | <!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | ||
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> | <!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> |
Revision as of 18:16, 24 July 2012
Feature Name
SELinux Systemd Access Control
Summary
We need systemd to do SELinux access checking whether or not a process is allowed to manage a unit file.
Owner
- Name: Daniel Walsh
- Email: <dwalsh@redhat.com>
Current status
- Targeted release: [Fedora 18]
- Last updated: July 24 2012
- Percentage of completion: 40%
Detailed Description
In previous versions of Fedora/RHEL we were able to control which applications/users were able to start/stop services based on the label of the SYSV Init Script. With the advent of systemd we lost this ability since systemd starts and stops all services, and users and processes talk to systemd using systemctl.
Benefit to Fedora
We can better lock down services, for example: Currently NetworkManager needs to be able to start and stop the ntpd service. Currently the only way we can allow NetworkManager to start the ntpd service is to allow it to start/stop any service including security services like iptables/firewalld. Similarly with confined administrators, I would like to define a web administrator that can only manager files in /var/www/html, and start and stop the httpd service, without this feature I have to allow the confined admin to start/stop all services.
Scope
SELinux Policy needs to be written to govern which domains are able to control which units, (completed) Systemd has to be modified to look at the label of the calling process and the label of the unit file that the caller wants to manage, and then ask SELinux whether or not the caller is allowed the access. A preliminary patch for this was sent to systemd a few months ago, but we need to follow up on it.
How To Test
We can write a test suite to setup different success and failure situations. for example cause a process to run as NetworkManager_t, and execute the systemctl start ntpd.service (Should Succeed) Another attempt would be systemd start httpd.service (Should Fail) Try out confined administrators for webadm_t, and make sure he can only start and stop the httpd service.
Normal system testing should quickly show if there are bugs in the code.
User Experience
Since unconfined_t is normal label of the user starting and stopping services, this fix should not effect normal administration of the system.
Dependencies
Systemd accepting the patch in a release that is in F18.
Contingency Plan
We can continue allowing all access, but this is less secure then what we had in Fedora 15.
Documentation
Release Notes
- Several SELinux booleans names have been changed. Mainly booleans beginning with allow_ will now begin with a domain specific name, for example allow_httpd_anon_write has been changed to httpd_anon_write. If you set or get the old boolean name, it will continue to work, but the old boolean name will no longer show up in lists of booleans.