Re: Controlling execution of Java JAR files with SELinux RBAC

[Bill D <littus@xxxxxxxxxx>]

Hello Phil:

Thank you for the response.  Your suggested fix resolved the error.

However, I am unable to get the desired effect.

I am not able to prevent a Linux user from running/accessing a Java JAR file using SELinux categories.

I would appreciate any other hints to make this work.

Following are the details of what I did:

# semanage user -l

                Labeling   MLS/       MLS/                         
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

git_shell_u     user       SystemLow  SystemLow                      git_shell_r
guest_u         user       SystemLow  SystemLow                      guest_r
root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
user_u          user       SystemLow  SystemLow                      user_r
xguest_u        user       SystemLow  SystemLow                      xguest_r

# semanage user -m -r s0-s0:c0.c1023 user_u

# semanage user -l

                Labeling   MLS/       MLS/                         
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

git_shell_u     user       SystemLow  SystemLow                      git_shell_r
guest_u         user       SystemLow  SystemLow                      guest_r
root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
user_u          user       SystemLow  SystemLow-SystemHigh           user_r
xguest_u        user       SystemLow  SystemLow                      xguest_r


# cat setrans.conf

#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023.  Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

# service mcstrans restart
Stopping mcstransd:                                        [  OK  ]
Starting mcstransd:                                        [  OK  ]

# chcat -L
s0:c0                          NetworkAdministrator
s0:c1                          Operator
s0                             SystemLow
s0-s0:c0.c1023                 SystemLow-SystemHigh
s0:c0.c1023                    SystemHigh

# useradd foo

# useradd bar

# passwd foo
Changing password for user foo.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# passwd bar
Changing password for user bar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# semanage login -a foo

# semanage login -a bar

# chcat -l -- +NetworkAdministrator foo

# chcat -l -- +Operator bar

# chcat -L -l bar foo
bar: s0:c0.c1023,c1    <===== why is it not just s0:c1?
foo: s0:c0.c1023,c0    <===== why is it not just just s0:c0?

# chcat -- +NetworkAdministrator /usr/local/soup/bin/Foo.jar

# ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar

Now Login as the 'foo' Linux user and notice that it can run Foo.jar as expected

$ whoami
foo

$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh

$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar

$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo

Now login as the 'bar' Linux user and notice that it can also run Foo.jar which is NOT expected

$ whoami
bar

$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh

$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar

$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo

Why is Linux user 'bar' able to run/access Foo.jar when its category doesn't match Foo.jar's category?

Following is how to create the Foo.jar file:

$ cat Foo.java
public class Foo {
    public static void main(String[] args) {
        System.out.println("Hello Foo");
    }
}

$ cat manifest.txt
Main-Class:

$ javac Foo.java

$ jar cvfe Foo.jar Foo Foo.class
added manifest
adding: Foo.class(in = 409) (out= 282)(deflated 31%)

Best Regards,

Bill

On 05/24/2017 04:39 PM, Philip Seeley wrote:

Hi Bill,

I think this was my mistake in transcribing. The user_u line after the "semanage user -m" command should be:

user_u          user       SystemLow  SystemLow-SystemHigh                      user_r

So the command should have been:

semanage user -m -r s0-s0:c0.c1023 user_u

Or even:

semanage user -m -r SystemLow-SystemHigh user_u

Appologies for that.

Phil

Bill D ---25/05/2017 02:28:19---Hello Phil, I have tried your suggestion of extending the user_u definition without

From: Bill D <littus@xxxxxxxxxx>
To: Philip Seeley <pseeley@xxxxxxxxxxx>
Cc: littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx
Date: 25/05/2017 02:28
Subject: Re: Controlling execution of Java JAR files with SELinux RBAC

---

Hello Phil,

I have tried your suggestion of extending the user_u definition without success:

# semanage user -l

                Labeling   MLS/       MLS/                         
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

git_shell_u     user       SystemLow  SystemLow                      git_shell_r
guest_u         user       SystemLow  SystemLow                      guest_r
root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
user_u          user       SystemLow  SystemLow                      user_r
xguest_u        user       SystemLow  SystemLow                      xguest_r

# semanage user -m -r s0:c0.c1023 user_u

# semanage user -l

                Labeling   MLS/       MLS/                         
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

git_shell_u     user       SystemLow  SystemLow                      git_shell_r
guest_u         user       SystemLow  SystemLow                      guest_r
root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
user_u          user       SystemLow  SystemHigh                     user_r
xguest_u        user       SystemLow  SystemLow                      xguest_r

# useradd kate

# passwd kate
Changing password for user kate.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# semanage login -a kate
libsemanage.validate_handler: MLS range s0 for Unix user regularuser exceeds allowed range s0:c0.c1023 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [regularuser -> (user_u, s0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

I would greatly appreciate any other hints to make this work.

Regards,

Bill

On 5/23/2017 8:42 PM, Philip Seeley wrote:

Hi Bill,

This is probably because the default RHEL6 configuration does not include any categories in the user_u SELinux user's range:

# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r

You probably have to extend the user definition to include the categories you're using. As an example, this gives all categories:

# semanage user -m -r s0:c0.c1023 user_u

# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0:c0.c1023                    user_r

Hope that helps.

Phil


Bill Durant ---24/05/2017 12:34:53---Hello Phil: Thank you for the suggestion. I have tried the steps from the URL that

From: Bill Durant <littus@xxxxxxxxxx>
To: Philip Seeley <pseeley@xxxxxxxxxxx>
Cc: littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx
Date: 24/05/2017 12:34
Subject: Re: Controlling execution of Java JAR files with SELinux RBAC

---




Hello Phil:

Thank you for the suggestion.  I have tried the steps from the URL that you provided without success.

I get an error when I try to assign Linux user mary to an SELinux login as follows:

# cat /etc/redhat-release
CentOS release 6.9 (Final)

;;; Add "s0:c0=NetworkAdministrator" and "s0:c1=Operator" to /etc/selinux/targeted/setrans.conf

# cat /etc/selinux/targeted/setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023.  Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

# service mcstrans start

# chcat -L
s0:c0                          NetworkAdministrator
s0:c1                          Operator
s0                             SystemLow
s0-s0:c0.c1023                 SystemLow-SystemHigh
s0:c0.c1023                    SystemHigh


# useradd mary
# passwd mary
Changing password for user mary.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# semanage login -a mary

# chcat -l -- +NetworkAdministrator mary
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user mary exceeds allowed range s0 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [mary -> (user_u, s0-s0:c0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

I would appreciate any hints on how to resolve that error.

Thanks!

Bill


On 05/23/2017 05:49 PM, Philip Seeley wrote:

Hi Bill,

Have you thought about using categories?

https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html

Cheers

Phil

Bill D ---24/05/2017 09:52:00---Greetings: I have been trying to figure out how to control the execution of Java

From: Bill D <littus@xxxxxxxxxx>
To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
Cc: littus@xxxxxxxxxx
Date: 24/05/2017 09:52
Subject: Controlling execution of Java JAR files with SELinux RBAC

---




Greetings:

I have been trying to figure out how to control the execution of Java
JAR files with SELinux RBAC.

I have two Linux users named joe and mary and two Java JAR files named
jack.jar and mary.jar.

Here is how jack executes jack.jar: java -jar jack.jar

Here is how mary executes mary.jar: java -jar mary.jar

I would like SELinux RBAC to prevent jack from executing mary.jar and
prevent mary from executing jack.jar.

How to configure SELinux RBAC to make that happen?

I have tried various approaches without success.  I have also tried the
steps in http://forums.fedoraforum.org/archive/index.php/t-222938.html 
without success.

I would greatly appreciate any hints.

Regards,

Bill


_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx





_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx