On Tue, 2017-05-23 at 16:51 -0700, Bill D wrote: > Greetings: > > I have been trying to figure out how to control the execution of > Java > JAR files with SELinux RBAC. > > I have two Linux users named joe and mary and two Java JAR files > named > jack.jar and mary.jar. > > Here is how jack executes jack.jar: java -jar jack.jar > > Here is how mary executes mary.jar: java -jar mary.jar So they aren't actually executing those files; they are both executing java, which in turn is reading those files and interpreting the contents. > I would like SELinux RBAC to prevent jack from executing mary.jar > and > prevent mary from executing jack.jar. > > How to configure SELinux RBAC to make that happen? > > I have tried various approaches without success. I have also tried > the > steps in http://forums.fedoraforum.org/archive/index.php/t-222938.htm > l > without success. > > I would greatly appreciate any hints. Perhaps you could describe what you tried in more detail, and how it failed. The thing to remember is that for your scenario above, you need to control read permission, not execute permission. You can either do this via RBAC/TE (in which case you need separate SELinux users, roles, and domains for jack and mary, and separate types for jack.jar and mary.jar), or via MCS/MLS (in which case you need to have jack and mary run in MCS constrained domains, authorize them for different categories, and assign those different categories to the .jar files). Perhaps the better question is what is it that you are really trying to achieve. Merely controlling which jar files they can read/execute isn't terribly interesting; what prevents them from just re-creating or downloading the other .jar file themselves? _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
