On 11/22/2016 02:08 AM, Jeff Becker wrote: > I finally got to see this work by turning SELinux enforcement to ON > instead of permissive. The reason I wasn't seeing access denials in the > audit log is because they were blocked by dontaudit rules in > userdom_unpriv_user_template. It would be nice if I could simply turn > off some of these dontaudit rules. (I know I can turn them all off with > semodule -DB) Great news ;-) I apologize that I was not responding. I was on vacation. So if you have another questions I am ready to help you. Thank you. > > -jeff > > On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker <jeff.c.becker@xxxxxxxxx > <mailto:jeff.c.becker@xxxxxxxxx>> wrote: > > Hi. I'm wondering if anyone has any input on this. After building > the Fedora SELinux policy with UBAC support (and rebooting), I've > created two SELinux users: {user_a role_a type_a} and {user_b role_b > type_b}, and both type_a and type_b have the ubac_constrained_type > attribute set. My understanding of UBAC led me to believe that > user_a would not have access to a file of type type_b. Similarly, > user_b would not have access to a file of type type_a. However, > these accesses are allowed. What else do I need to do to get this to > work. Thanks. > > -jeff > > On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker > <jeff.c.becker@xxxxxxxxx <mailto:jeff.c.becker@xxxxxxxxx>> wrote: > > Some progress... > > On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker > <jeff.c.becker@xxxxxxxxx <mailto:jeff.c.becker@xxxxxxxxx>> wrote: > > Hi. > > On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl > <mgrepl@xxxxxxxxxx <mailto:mgrepl@xxxxxxxxxx>> wrote: > > On 11/09/2016 08:54 PM, Jeff Becker wrote: > > Hi. I successfully compiled and loaded the following > policy file on > > RHEL7 with the latest (as of yesterday) SELinux rpms. > However, when I > > run "seinfo -tfoo_t -x", I don't see > ubac_constrained_type listed in the > > attributes. How do I enable UBAC? Thanks. > > Hi Jeff, > we don't build Fedora/RHEL distribution policy with UBAC > support. > > > I suspected that. > > > You > would need to rebuild the policy from srpms to enable it > > > I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from > http://kojipkgs.fedoraproject.org > <http://kojipkgs.fedoraproject.org>. I figured this was close to > what I have installed > (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in > build.conf, and built and installed the policy. When I rebooted, > I could see that ubac_constrained_type attribute was present on > several types (including my new ones that I recompiled and > loaded). However, it's not working the way I thought it should. > If I log in with SELinux user A and I try to access a file from > SELinux user B (both types have ubac_constrained_type attribute > set), I thought access would be denied, but it's not, and > nothing shows up in the audit log. Am I misunderstanding or > missing something? Thanks. > > -jeff > > > > What is your intention with UBAC? > > > My use case is that I'd like to have several file types with > associated SELinux users/roles, such that SELinux users of a > certain type cannot access files associated with another > user's type, regardless of what application is used for the > access, e.g., my foo_u user below would not be able to > access files of type bar_t (associated with SELinux user > bar_u). I need this to be under mandatory access control, so > it seems that multi category security (MCS) labels would not > work, as they are discretionary. Is there another way, e.g., > role based access control (RBAC) that could be used? Thanks. > > -jeff > > > > > > -jeff > > > > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > > policy_module(foo, 1.0.0) > > > > ######################################## > > # > > # Declarations > > # > > userdom_unpriv_user_template(foo) > > > > ######################################## > > # > > # foo local policy > > # > > > > domain_use_interactive_fds(foo_t) > > > > files_read_etc_files(foo_t) > > > > miscfiles_read_localization(foo_t) > > > > ubac_constrained(foo_t) > > > > > > > > _______________________________________________ > > selinux mailing list -- > selinux@xxxxxxxxxxxxxxxxxxxxxxx > <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx> > > To unsubscribe send an email to > selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > <mailto:selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx> > > > > > -- > Miroslav Grepl > Senior Software Engineer, SELinux Solutions > Red Hat, Inc. > > > > > > > > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
