I have another question. As you know I built the targeted policy with UBAC=y. Now I'm trying to make it so that user_home_dir_t and user_home_t are exempt from ubac, as I really only want to use it for specially tagged files. I compiled and loaded the following module, but it still prevents access to files of type user_home_t. Any suggestions? Thanks.
-jeff
========================================================================
policy_module(myubac, 1.0.0)
require {
type user_home_t;
type user_home_dir_t;
};
ubac_file_exempt(user_home_t)
ubac_file_exempt(user_home_dir_t)
On Tue, Nov 29, 2016 at 1:35 AM, Miroslav Grepl <mgrepl@xxxxxxxxxx> wrote:
On 11/22/2016 02:08 AM, Jeff Becker wrote:
> I finally got to see this work by turning SELinux enforcement to ON
> instead of permissive. The reason I wasn't seeing access denials in the
> audit log is because they were blocked by dontaudit rules in
> userdom_unpriv_user_template. It would be nice if I could simply turn
> off some of these dontaudit rules. (I know I can turn them all off with
> semodule -DB)
Great news ;-)
I apologize that I was not responding. I was on vacation. So if you have
another questions I am ready to help you.
Thank you.
>
> -jeff
>
> On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker <jeff.c.becker@xxxxxxxxx
> <mailto:jeff.c.becker@gmail.com >> wrote:
>
> Hi. I'm wondering if anyone has any input on this. After building
> the Fedora SELinux policy with UBAC support (and rebooting), I've
> created two SELinux users: {user_a role_a type_a} and {user_b role_b
> type_b}, and both type_a and type_b have the ubac_constrained_type
> attribute set. My understanding of UBAC led me to believe that
> user_a would not have access to a file of type type_b. Similarly,
> user_b would not have access to a file of type type_a. However,
> these accesses are allowed. What else do I need to do to get this to
> work. Thanks.
>
> -jeff
>
> On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker
> <jeff.c.becker@xxxxxxxxx <mailto:jeff.c.becker@gmail.com >> wrote:
>
> Some progress...
>
> On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker
> <jeff.c.becker@xxxxxxxxx <mailto:jeff.c.becker@gmail.com >> wrote:
>
> Hi.
>
> On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl
> <mgrepl@xxxxxxxxxx <mailto:mgrepl@xxxxxxxxxx>> wrote:
>
> On 11/09/2016 08:54 PM, Jeff Becker wrote:
> > Hi. I successfully compiled and loaded the following
> policy file on
> > RHEL7 with the latest (as of yesterday) SELinux rpms.
> However, when I
> > run "seinfo -tfoo_t -x", I don't see
> ubac_constrained_type listed in the
> > attributes. How do I enable UBAC? Thanks.
>
> Hi Jeff,
> we don't build Fedora/RHEL distribution policy with UBAC
> support.
>
>
> I suspected that.
>
>
> You
> would need to rebuild the policy from srpms to enable it
>
>
> I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from
> http://kojipkgs.fedoraproject.org
> <http://kojipkgs.fedoraproject.org >. I figured this was close to
> what I have installed
> (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in
> build.conf, and built and installed the policy. When I rebooted,
> I could see that ubac_constrained_type attribute was present on
> several types (including my new ones that I recompiled and
> loaded). However, it's not working the way I thought it should.
> If I log in with SELinux user A and I try to access a file from
> SELinux user B (both types have ubac_constrained_type attribute
> set), I thought access would be denied, but it's not, and
> nothing shows up in the audit log. Am I misunderstanding or
> missing something? Thanks.
>
> -jeff
>
>
>
> What is your intention with UBAC?
>
>
> My use case is that I'd like to have several file types with
> associated SELinux users/roles, such that SELinux users of a
> certain type cannot access files associated with another
> user's type, regardless of what application is used for the
> access, e.g., my foo_u user below would not be able to
> access files of type bar_t (associated with SELinux user
> bar_u). I need this to be under mandatory access control, so
> it seems that multi category security (MCS) labels would not
> work, as they are discretionary. Is there another way, e.g.,
> role based access control (RBAC) that could be used? Thanks.
>
> -jeff
>
>
> >
> > -jeff
> >
> >
> ------------------------------------------------------------ ------------------------------ ------------------------------ ------------------------------ --------
> >
> > policy_module(foo, 1.0.0)
> >
> > ########################################
> > #
> > # Declarations
> > #
> > userdom_unpriv_user_template(foo)
> >
> > ########################################
> > #
> > # foo local policy
> > #
> >
> > domain_use_interactive_fds(foo_t)
> >
> > files_read_etc_files(foo_t)
> >
> > miscfiles_read_localization(foo_t)
> >
> > ubac_constrained(foo_t)
> >
> >
> >
> > _______________________________________________
> > selinux mailing list --
> selinux@lists.fedoraproject.org
> <mailto:selinux@lists.fedoraproject.org >
> > To unsubscribe send an email to
> selinux-leave@lists.fedoraproject.org
> <mailto:selinux-leave@lists.fedoraproject.org >
> >
>
>
> --
> Miroslav Grepl
> Senior Software Engineer, SELinux Solutions
> Red Hat, Inc.
>
>
>
>
>
>
>
> _______________________________________________
> selinux mailing list -- selinux@lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
