Can Solaris RBAC roles be ported to Linux using SElinux only?

user126330 asked:

We are migrating an application from Solaris to Linux and the main user is allowed, through the use of RBAC roles, to run a few system commands like svccfg/svcadm (chkconfig on redhat).

Is it possible, using only SElinux (no sudo), to allow a normal user to run chkconfig off/on (basically give it the ability to add remove services) ?

My approach was to try to create an SElinux user with a corresponding SElinux role that manages the app’s domain/type and is allowed to transition to all other domains required to run chkconfig, tcpdump or any other system utility usually restricted to root access only.
All my attempts so far have failed, so my second question would be where could I find good documentation that applies to this specific problem ?

My answer:

The SELinux reference policy already contains a user role sysadm_r which (slightly) confines root when confined users are being used on the system (they are not by default).

It should be possible to design a user role which can start/stop services and no other admin tasks, based loosely on sysadm_r, though I’ve never had to do this before and so I hesitate to give you a line-by-line. As much as I hate to say it, this is a question I would probably take to the selinux mailing list.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.