|
Hello Phil:
Thank you for the suggestion. I have tried the steps from the
URL that you provided without success.
I get an error when I try to assign Linux user mary to an SELinux
login as follows:
# cat /etc/redhat-release
CentOS release 6.9 (Final)
;;; Add "s0:c0=NetworkAdministrator" and "s0:c1=Operator" to
/etc/selinux/targeted/setrans.conf
# cat /etc/selinux/targeted/setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the
admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use
this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans start
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd mary
# passwd mary
Changing password for user mary.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a mary
# chcat -l -- +NetworkAdministrator mary
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user
mary exceeds allowed range s0 for SELinux user user_u (No such
file or directory).
libsemanage.validate_handler: seuser mapping [mary -> (user_u,
s0-s0:c0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records
(No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
I would appreciate any hints on how to resolve that error.
Thanks!
Bill
On 05/23/2017 05:49 PM, Philip Seeley
wrote:
Hi Bill,
Have you thought about
using categories?
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html
Cheers
Phil
 Bill D ---24/05/2017
09:52:00---Greetings: I have been trying to figure out how to
control the execution of Java
From: Bill
D <littus@xxxxxxxxxx>
To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
Cc: littus@xxxxxxxxxx
Date: 24/05/2017
09:52
Subject: Controlling
execution of Java JAR files with SELinux RBAC
Greetings:
I have been trying to figure out how to control the execution
of Java
JAR files with SELinux RBAC.
I have two Linux users named joe and mary and two Java JAR
files named
jack.jar and mary.jar.
Here is how jack executes jack.jar: java -jar jack.jar
Here is how mary executes mary.jar: java -jar mary.jar
I would like SELinux RBAC to prevent jack from executing
mary.jar and
prevent mary from executing jack.jar.
How to configure SELinux RBAC to make that happen?
I have tried various approaches without success. I have also
tried the
steps in http://forums.fedoraforum.org/archive/index.php/t-222938.html
without success.
I would greatly appreciate any hints.
Regards,
Bill
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to
selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
|
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
