<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div dir="ltr" >Hi Joseph,</div>
<div dir="ltr" > </div>
<div dir="ltr" >I may not be accurate here, But from what i have learnt - Yes, this can be done using "Type Enforcement feature" in SELinux.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Type Enforcement essentially allows every file/object/process in SELinux enabled system to be stored with a security context label as an extended attribute.</div>
<div dir="ltr" >And policies can be framed to allow access between various security context labelled objects.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Any access between security contexts - that does not have an associated selinux policy will be denied by default.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Say for example, in this case :</div>
<div dir="ltr" > </div>
<div dir="ltr" ><font size="2" face="Default Monospace,Courier New,Courier,monospace" >> I would like to see SELinux limit who can write to files under the /etc<br>> directory. For example, bmcweb implements REST APIs add and modify<br>> local users, control pam_tally2 account lockout parameters, etc. More<br>> specifically, the phosphor-user-manager daemon modifies files like<br>> /etc/shadow and /etc/pam.d/common_auth. Only this application should be<br>> able to write to these file. Also, this daemon should not be to allowed<br>> to write to any other config files.</font></div>
<div dir="ltr" > </div>
<div dir="ltr" >1. A new security label needs to be defined, say <strong>user_manager_t</strong> for <strong>phosphor-user-manager</strong> service and this context can be attached to the service through the SELinux tag in the dbus-configuration xml file. so that when the user-manager service executes it obtains a security context type of <strong>user_manager_t</strong>.</div>
<div dir="ltr" >2. As far as i know the files in the /<strong>etc</strong> would acquire a security context label of <strong>etc_t </strong>by default during the auto relabelling process which happens at the first selinux enabled boot of BMC.</div>
<div dir="ltr" >3. Now we just need to write a selinux policy to allow access between <strong>user_manager_t </strong>type with <strong>etc_t</strong> type.</div>
<div dir="ltr" >4. Any process, example <strong>bmcweb</strong> say has <strong>webserver_t</strong> (does not have the security context of <strong>user_manager_t</strong>) would get an access denied if it tries to write into the /<strong>etc</strong> files as there is no associated policy.</div>
<div dir="ltr" >5. We can even assign a security label for each file inside the <strong>/etc</strong> and write an associated policy for it, so that we can get a granular control over who can access which file under <strong>/etc</strong>.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Hope this answers your question.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Thanks,</div>
<div dir="ltr" >Manoj</div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" data-history-expanded="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr; margin-right:0px" >----- Original message -----<br>From: Joseph Reynolds <jrey@linux.ibm.com><br>Sent by: "openbmc" <openbmc-bounces+manojeda=in.ibm.com@lists.ozlabs.org><br>To: Manojkiran Eda <manojeda@in.ibm.com>, openbmc@lists.ozlabs.org, rnouse@google.com<br>Cc: ratagupt@linux.vnet.ibm.com<br>Subject: [EXTERNAL] Re: SELinux UseCases<br>Date: Tue, May 12, 2020 11:48 PM<br>
<div><font size="2" face="Default Monospace,Courier New,Courier,monospace" >On 5/10/20 11:34 PM, Manojkiran Eda wrote:<br>> Hi All,<br>> This is a just a ping - to generate a discussion on the below<br>> mentioned use-cases.<br>> Appreciate any inputs/comments.<br><br>Thanks for putting this together.<br><br>I would like to see SELinux limit who can write to files under the /etc<br>directory. For example, bmcweb implements REST APIs add and modify<br>local users, control pam_tally2 account lockout parameters, etc. More<br>specifically, the phosphor-user-manager daemon modifies files like<br>/etc/shadow and /etc/pam.d/common_auth. Only this application should be<br>able to write to these file. Also, this daemon should not be to allowed<br>to write to any other config files.<br><br>- Joseph<br><br>> Thanks,<br>> Manoj<br>><br>> ----- Original message -----<br>> From: Manojkiran Eda/India/IBM<br>> To: openbmc@lists.ozlabs.org, rnouse@google.com<br>> Cc: ratagupt@linux.vnet.ibm.com<br>> Subject: SELinux UseCases<br>> Date: Thu, Apr 30, 2020 6:50 PM<br>> Hi All,<br>> (My apologies for the lengthy email.)<br>> Below are few use-cases in BMC, which i feel inclusion of SELinux<br>> would be a value add (there could be may more missing). Please<br>> feel free to drop-in your comments/feedback.<br>><br>...snip...</font><br> </div></blockquote>
<div dir="ltr" > </div></div><BR>