Top NSA Banner

• Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

• This message: [ Message body ]
• Next message: Stephen Smalley: "Re: how to add new user roles"
• Previous message: Stephen Smalley: "Re: checkpolicy fails"
• Next in thread: Stephen Smalley: "Re: how to add new user roles"
• Reply: Stephen Smalley: "Re: how to add new user roles"

I've read the "Security Policy Configuration" paper and looked at the policy configuration files, but it isn't obvious what is needed to add new user roles with separate domains. I guess I need to create a file like user.te for each new domain, possibly containing just a new type definition and a user_domain() "call", plus whatever new rules apply to each new domain.

Can someone share a simple new user domain they've developed, or at least the steps needed to add a new domain and role? For example, suppose I want two new domains A and B just like user except that A can read and execute B files, and B can read but not execute A files.

Steve

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

• This message: [ Message body ]
• Next message: Jan Petranek: "Re: checkpolicy fails"
• Previous message: Steve Eckmann: "how to add new user roles"
• In reply to: Steve Eckmann: "how to add new user roles"

On Thu, 5 Jul 2001, Steve Eckmann wrote:

>I guess I need to create a file like user.te for each new domain,
>possibly containing just a new type definition and a user_domain()
>"call", plus whatever new rules apply to each new domain.

Yes, although you need to ensure that the user_domain macro definition is read prior to the first attempt to use it. Right now, if you simply create some additional *.te files in domains/user, there isn't any guarantee that user.te will be read first. So you might need to rearrange things a little or tweak the Makefile. Or you could just add your new domains to the end of the existing user.te file.

> Can someone share a simple new user domain they've developed, or at
>least the steps needed to add a new domain and role? For example, suppose
>I want two new domains A and B just like user except that A can read and
>execute B files, and B can read but not execute A files.

Sorry, I don't have an example, but I can describe what I think will be necessary. In addition to defining the domains as you mentioned above, you'll need to:
1) Authorize login to enter the domains by adding a domain_trans

   rule to domains/system/login.te, e.g.

   domain_trans(local_login_t, shell_exec_t, a_t)

2) Define rules for the newrole_t domain so that it will relabel terminals properly for the new domains. See the existing rules for user_*_t in domains/program/newrole.te. These rules actually should be moved into the user_domain macro using the parameter as with the login rules.

3) Define the role in the rbac file. Same as user_t, but replace 'user' with your domain. You could define a macro based on the current user_r definition and then reuse for each of the user domains if you want.

4) Authorize users for the role in the users file.

5) Relabel the home directories of the users who will use one of the new roles to the corresponding *_home_t type using the chcon program.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

• Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]