On 05/24/2017 01:36 PM, Stephen Smalley wrote:
On Tue, 2017-05-23 at 16:51 -0700, Bill D wrote:
Greetings:
I have been trying to figure out how to control the execution of
Java
JAR files with SELinux RBAC.
I have two Linux users named joe and mary and two Java JAR files
named
jack.jar and mary.jar.
Here is how jack executes jack.jar: java -jar jack.jar
Here is how mary executes mary.jar: java -jar mary.jar
So they aren't actually executing those files; they are both executing
java, which in turn is reading those files and interpreting the
contents.
Correct.
I would like SELinux RBAC to prevent jack from executing mary.jar
and
prevent mary from executing jack.jar.
How to configure SELinux RBAC to make that happen?
I have tried various approaches without success. I have also tried
the
steps in http://forums.fedoraforum.org/archive/index.php/t-222938.htm
l
without success.
I would greatly appreciate any hints.
Perhaps you could describe what you tried in more detail, and how it
failed. The thing to remember is that for your scenario above, you
need to control read permission, not execute permission. You can
either do this via RBAC/TE (in which case you need separate SELinux
users, roles, and domains for jack and mary, and separate types for
jack.jar and mary.jar), or via MCS/MLS (in which case you need to have
jack and mary run in MCS constrained domains, authorize them for
different categories, and assign those different categories to the .jar
files).
Thank you for making me realize that the access control that I need is
indeed read, not execute.
I will try again via RBAC/TE and will provide details on what I tried if
I still cannot get it to work.
Perhaps the better question is what is it that you are really trying to
achieve. Merely controlling which jar files they can read/execute
isn't terribly interesting; what prevents them from just re-creating or
downloading the other .jar file themselves?
I am trying to implement the least privilege concept on a particular
system. At this point it is fine if the user copies the other JAR file
to other systems since it will not run as expected on that other
system. But this may become a requirement later...
Thanks!
Bill
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx