From Fedora Project Wiki

MLS Roles

user_r

Standard user role. The role is not allowed to run su or sudo. Should not be able to run sensitive applications or read sensitive data.

staff_r

This is role is virtually equivalent to user_r except that it can run su/sudo and users can transition from staff_t to more priveledged domains.

sysadm_r

This role should be allowed to run all administrative applications except for the audit applications and SELinux tools that can change the running policy.

secadm_r

This role is only allowed to run the SELinux tools and change the way that SELinux is enforcing rules.

auditadm_r

This role should only be able to change the auditing subsystem.

Security Applications

  • avcstat - All 3 can use.
  • audit2allow - all 3 can use. Except that sysadm_r can only read /var/log/messages. secadm_r and auditadm_r can read both if running at SystemHigh
  • audit2why - This should only work for secadm since it requires the reading of the policy file. He must be running at SystemHigh to process audit.log
  • chcat/chcon - all 3 can use, although only certain contexts should be changeable.
  • sysadm_r should be able to change everything but SELinux files and audit files
  • secadm_r should be able to change all files except audit files
  • auditadm should only be able to change audit files
  • checkmodule - all 3 can execute. This is a tool to build a policy package, so it should not be included. Really just a compiler
  • checkpolicy - only secadm_r can execute, output of this tool is a policy file.
  • fixfiles - This is a script that all three can execute, but will only be able to. Should all three roles be able to transition to restorecon and setfiles?
  • genhomedircon -Only secadm_r should be able to succeffully run this, audit messages will be generated and it will die a horrible death.
  • getsebool - all 3 can use.
  • getenforce - all 3 can use.
  • load_policy - only secadm_r can execute
  • matchpathcon - all 3 can use.
  • restorecon - only sysadm and secadm can use, auditadm can not use
  • run_init - only sysadm can use
  • currently getting execvp defined message after authentication
  • selinuxenabled - all 3 can use.
  • semanage - all 3 can execute
  • sysadm_r Should be able to use in readonly mode
  • secadm_r - Full functionaility
  • auditadm_r - Should not be allowed to run, or read only mode
  • semodule - only secadm_r can execute.
  • semodule_expand - all 3 can execute.
  • semodule_link - all 3 can execute.
  • semodule_package - all 3 can execute.
  • sestatus - all 3 can execute.
  • setenforce - Only secadm_r can setenforce 0
  • setfiles - only secadm_r can execute.
  • setsebool - only secadm_r can actually set anything
  • system-config-securitylevel - Only secadm_r can change anything, everyone else is read only.
  • Tools from TreySys
  • These tools are all governed by who can read the policy files or auditlogs.
  • apol - all 3 can execute, requires GUI which I don't have installed.
  • seaudit - all 3 can execute, requires GUI which I don't have installed.
  • seaudit_report - all 3 can execute
  • sechecker - all 3 can execute
  • seinfo - all 3 can execute
  • sesearch - all 3 can execute.
Retrieved from "https://fedoraproject.org/w/index.php?title=SELinux/MLSRoles&oldid=420190"