From Fedora Project Wiki
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 509: | Line 509: | ||
|} | |} | ||
=== | === Confined administrator === | ||
{{admon/note|User capabilities|Administrator that can manage '''MySQL''' and '''Apache'''}} | |||
As root set up a | As root set up a client machine, with network access. Build policy for <code>web_db_admin_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Set up a transition from <code>staff_t</code> to <code>web_db_admin_t</code>. Set up <code>sudo</code> to make this happen automatically. Create a directory named <code>/secrets</code> and install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' is running (<code>service mysqld start</code>) and the database is world readable. Install '''Apache''' (<code>yum install httpd</code>) and make sure the service is running (<code>service httpd start</code>). | ||
Log in to the machine and try the following: | Log in to the machine and try the following: | ||
Line 517: | Line 519: | ||
* Good Test - try to behave correctly | * Good Test - try to behave correctly | ||
*# Edit files in home directory. | *# Edit files in home directory. | ||
*# Verify | *# Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works. | ||
*# Verify other network protocols work (aol, ssh, mail etc.) | |||
*# Plug in USB disk and make sure the confined administrator can read/write the disk. | |||
*# Plug in USB camera and make sure it works. | |||
*# Plug in other USB devices. | |||
*# Verify '''Network Manager''' works. | |||
*# Verify printing from '''Firefox''' and from the desktop works. | |||
*# Try to <code>ping</code> off the machine. | |||
*# Copy an executable into home directory and try to execute it. | |||
*# Set up <code>sudo</code> and SELinux to allow <code>staff_t</code> to become <code>web_db_adm_t</code> via <code>sudo</code>. | |||
*# Execute <code>sudo sh</code> and make sure you end up as <code>web_db_adm_t</code>. | |||
*# Try to edit <code>/var/www/html</code> directory and some of the '''MySQL''' directories. | |||
*# Try to stop and start '''MySQL''' and '''Apache''' (<code>service NAME start</code> and <code>service NAME stop</code>). | |||
* Bad Test - try to do evil | * Bad Test - try to do evil | ||
*# Try to break into the root account via <code> | *# Try to break into the root account via <code>su</code>. | ||
*# Try to read a file in the <code>/secrets</code> directory. | *# Try to read a file in the <code>/secrets</code> directory. | ||
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>). | *# Try to read the '''MySQL''' database (<code>mysqlshow</code>). | ||
*# As <code>web_db_adm_t</code> try to add an user, modify files in <code>/usr/share</code>. | |||
{| | {| | ||
Line 540: | Line 555: | ||
|} | |} | ||
=== | === Guest user that can send an email === | ||
As root set up a server machine, with network access. Build policy for <code>sendmail_user_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>sendmail_user_u</code> (<code>useradd -Z sendmail_user_u USERNAME</code>). | |||
As root set up a | |||
Log in to the machine and try the following: | Log in to the machine and try the following: | ||
Line 550: | Line 563: | ||
* Good Test - try to behave correctly | * Good Test - try to behave correctly | ||
*# Edit files in home directory. | *# Edit files in home directory. | ||
*# Verify | *# Verify you can send a mail as this user. | ||
* Bad Test - try to do evil | * Bad Test - try to do evil | ||
*# Try to break into the root account via <code> | *# Try to break into the root account via <code>sudo</code>. | ||
*# Try to read a file in the <code>/secrets</code> directory. | *# Try to read a file in the <code>/secrets</code> directory. | ||
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>). | *# Try to read the '''MySQL''' database (<code>mysqlshow</code>). | ||
{| | {| |