Re: user based access control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/22/2016 02:08 AM, Jeff Becker wrote:
> I finally got to see this work by turning SELinux enforcement to ON
> instead of permissive. The reason I wasn't seeing access denials in the
> audit log is because they were blocked by dontaudit rules in
> userdom_unpriv_user_template. It would be nice if I could simply turn
> off some of these dontaudit rules. (I know I can turn them all off with
> semodule -DB)

Great news ;-)

I apologize that I was not responding. I was on vacation. So if you have
another questions I am ready to help you.

Thank you.

> 
> -jeff
> 
> On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker <jeff.c.becker@xxxxxxxxx
> <mailto:jeff.c.becker@xxxxxxxxx>> wrote:
> 
>     Hi. I'm wondering if anyone has any input on this. After building
>     the Fedora  SELinux policy with UBAC support (and rebooting),  I've
>     created two SELinux users: {user_a role_a type_a} and {user_b role_b
>     type_b}, and both type_a and type_b have the ubac_constrained_type
>     attribute set. My understanding of UBAC led me to believe that
>     user_a would not have access to a file of type type_b. Similarly,
>     user_b would not have access to a file of type type_a. However,
>     these accesses are allowed. What else do I need to do to get this to
>     work. Thanks.
> 
>     -jeff
> 
>     On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker
>     <jeff.c.becker@xxxxxxxxx <mailto:jeff.c.becker@xxxxxxxxx>> wrote:
> 
>         Some progress...
> 
>         On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker
>         <jeff.c.becker@xxxxxxxxx <mailto:jeff.c.becker@xxxxxxxxx>> wrote:
> 
>             Hi.
> 
>             On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl
>             <mgrepl@xxxxxxxxxx <mailto:mgrepl@xxxxxxxxxx>> wrote:
> 
>                 On 11/09/2016 08:54 PM, Jeff Becker wrote:
>                 > Hi. I successfully compiled and loaded the following
>                 policy file on
>                 > RHEL7 with the latest (as of yesterday) SELinux rpms.
>                 However, when I
>                 > run "seinfo -tfoo_t -x", I don't see
>                 ubac_constrained_type listed in the
>                 > attributes. How do I enable UBAC? Thanks.
> 
>                 Hi Jeff,
>                 we don't build Fedora/RHEL distribution policy with UBAC
>                 support.
> 
> 
>             I suspected that.
>              
> 
>                 You
>                 would need to rebuild the policy from srpms to enable it
> 
> 
>         I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from 
>         http://kojipkgs.fedoraproject.org
>         <http://kojipkgs.fedoraproject.org>. I figured this was close to
>         what I have installed
>         (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in
>         build.conf, and built and installed the policy. When I rebooted,
>         I could see that ubac_constrained_type attribute was present on
>         several types (including my new ones that I recompiled and
>         loaded). However, it's not working the way I thought it should.
>         If I log in with SELinux user A and I try to access a file from
>         SELinux user B (both types have ubac_constrained_type attribute
>         set), I thought access would be denied, but it's not, and
>         nothing shows up in the audit log. Am I misunderstanding or
>         missing something? Thanks.
> 
>         -jeff
> 
> 
> 
>                 What is your intention with UBAC?
> 
> 
>             My use case is that I'd like to have several file types with
>             associated SELinux users/roles, such that SELinux users of a
>             certain type cannot access files associated with another
>             user's type, regardless of what application is used for the
>             access, e.g., my foo_u user below would not be able to
>             access files of type bar_t (associated with SELinux user
>             bar_u). I need this to be under mandatory access control, so
>             it seems that multi category security (MCS) labels would not
>             work, as they are discretionary. Is there another way, e.g.,
>             role based access control (RBAC) that could be used? Thanks.
> 
>             -jeff
> 
> 
>                 >
>                 > -jeff
>                 >
>                 >
>                 --------------------------------------------------------------------------------------------------------------------------------------------------------------
>                 >
>                 > policy_module(foo, 1.0.0)
>                 >
>                 > ########################################
>                 > #
>                 > # Declarations
>                 > #
>                 > userdom_unpriv_user_template(foo)
>                 >
>                 > ########################################
>                 > #
>                 > # foo local policy
>                 > #
>                 >
>                 > domain_use_interactive_fds(foo_t)
>                 >
>                 > files_read_etc_files(foo_t)
>                 >
>                 > miscfiles_read_localization(foo_t)
>                 >
>                 > ubac_constrained(foo_t)
>                 >
>                 >
>                 >
>                 > _______________________________________________
>                 > selinux mailing list --
>                 selinux@xxxxxxxxxxxxxxxxxxxxxxx
>                 <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>                 > To unsubscribe send an email to
>                 selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>                 <mailto:selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx>
>                 >
> 
> 
>                 --
>                 Miroslav Grepl
>                 Senior Software Engineer, SELinux Solutions
>                 Red Hat, Inc.
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux