On Thu, 2017-05-25 at 12:19 -0700, Bill D wrote:
> Hello Phil:
>
> Thank you for the response. Your suggested fix resolved the error.
>
> However, I am unable to get the desired effect.
>
> I am not able to prevent a Linux user from running/accessing a Java
> JAR file using SELinux categories.
>
> I would appreciate any other hints to make this work.
>
> Following are the details of what I did:
>
> # semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> git_shell_u user SystemLow SystemLow
> git_shell_r
> guest_u user SystemLow SystemLow
> guest_r
> root user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> staff_u user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> sysadm_u user SystemLow SystemLow-SystemHigh
> sysadm_r
> system_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> unconfined_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> user_u user SystemLow SystemLow
> user_r
> xguest_u user SystemLow SystemLow
> xguest_r
>
> # semanage user -m -r s0-s0:c0.c1023 user_u
>
> # semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> git_shell_u user SystemLow SystemLow
> git_shell_r
> guest_u user SystemLow SystemLow
> guest_r
> root user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> staff_u user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> sysadm_u user SystemLow SystemLow-SystemHigh
> sysadm_r
> system_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> unconfined_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> user_u user SystemLow SystemLow-SystemHigh
> user_r
> xguest_u user SystemLow SystemLow
> xguest_r
>
>
> # cat setrans.conf
>
> #
> # Multi-Category Security translation table for SELinux
> #
> # Uncomment the following to disable translation libary
> # disable=1
> #
> # Objects can be categorized with 0-1023 categories defined by the
> admin.
> # Objects can be in more than one category at a time.
> # Categories are stored in the system as c0-c1023. Users can use
> this
> # table to translate the categories into a more meaningful output.
> # Examples:
> # s0:c0=CompanyConfidential
> # s0:c1=PatientRecord
> # s0:c2=Unclassified
> # s0:c3=TopSecret
> # s0:c1,c3=CompanyConfidentialRedHat
> s0:c0=NetworkAdministrator
> s0:c1=Operator
> s0=SystemLow
> s0-s0:c0.c1023=SystemLow-SystemHigh
> s0:c0.c1023=SystemHigh
>
> # service mcstrans restart
> Stopping mcstransd: [ OK ]
> Starting mcstransd: [ OK ]
>
> # chcat -L
> s0:c0 NetworkAdministrator
> s0:c1 Operator
> s0 SystemLow
> s0-s0:c0.c1023 SystemLow-SystemHigh
> s0:c0.c1023 SystemHigh
>
> # useradd foo
>
> # useradd bar
>
> # passwd foo
> Changing password for user foo.
> New password:
> Retype new password:
> passwd: all authentication tokens updated successfully.
>
> # passwd bar
> Changing password for user bar.
> New password:
> Retype new password:
> passwd: all authentication tokens updated successfully.
>
> # semanage login -a foo
>
> # semanage login -a bar
>
> # chcat -l -- +NetworkAdministrator foo
>
> # chcat -l -- +Operator bar
>
> # chcat -L -l bar foo
> bar: s0:c0.c1023,c1 <===== why is it not just s0:c1?
> foo: s0:c0.c1023,c0 <===== why is it not just just s0:c0?
>
> # chcat -- +NetworkAdministrator /usr/local/soup/bin/Foo.jar
>
> # ls -Z /usr/local/soup/bin/Foo.jar
> -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
> /usr/local/soup/bin/Foo.jar
>
> Now Login as the 'foo' Linux user and notice that it can run Foo.jar
> as expected
>
> $ whoami
> foo
>
> $ id -Z
> user_u:user_r:user_t:SystemLow-SystemHigh
>
> $ ls -Z /usr/local/soup/bin/Foo.jar
> -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
> /usr/local/soup/bin/Foo.jar
>
> $ java -jar /usr/local/soup/bin/Foo.jar
> Hello Foo
>
> Now login as the 'bar' Linux user and notice that it can also run
> Foo.jar which is NOT expected
>
> $ whoami
> bar
>
> $ id -Z
> user_u:user_r:user_t:SystemLow-SystemHigh
>
> $ ls -Z /usr/local/soup/bin/Foo.jar
> -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
> /usr/local/soup/bin/Foo.jar
>
> $ java -jar /usr/local/soup/bin/Foo.jar
> Hello Foo
>
> Why is Linux user 'bar' able to run/access Foo.jar when its category
> doesn't match Foo.jar's category?
Red Hat changed the way MCS works in modern versions of RHEL. It went
from being a user-centric model to being something they only use to
separate sandboxes, containers, VMs, openshift instances, etc. So a
domain is only restricted by MCS if it is specifically marked as being
MCS constrained.
MLS on the other hand is still applied to all domains except those
explicitly exempted (trusted to cross levels).
>
> Following is how to create the Foo.jar file:
>
> $ cat Foo.java
> public class Foo {
> public static void main(String[] args) {
> System.out.println("Hello Foo");
> }
> }
>
> $ cat manifest.txt
> Main-Class:
>
> $ javac Foo.java
>
> $ jar cvfe Foo.jar Foo Foo.class
> added manifest
> adding: Foo.class(in = 409) (out= 282)(deflated 31%)
>
> Best Regards,
>
> Bill
>
> On 05/24/2017 04:39 PM, Philip Seeley wrote:
> > Hi Bill,
> >
> > I think this was my mistake in transcribing. The user_u line after
> > the "semanage user -m" command should be:
> > user_u user SystemLow SystemLow-
> > SystemHigh user_r
> >
> > So the command should have been:
> >
> > semanage user -m -r s0-s0:c0.c1023 user_u
> >
> > Or even:
> >
> > semanage user -m -r SystemLow-SystemHigh user_u
> >
> > Appologies for that.
> >
> > Phil
> >
> > Bill D ---25/05/2017 02:28:19---Hello Phil, I have tried your
> > suggestion of extending the user_u definition without
> >
> > From: Bill D <littus@xxxxxxxxxx>
> > To: Philip Seeley <pseeley@xxxxxxxxxxx>
> > Cc: littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > Date: 25/05/2017 02:28
> > Subject: Re: Controlling execution of Java JAR files with SELinux
> > RBAC
> >
> >
> >
> > Hello Phil,
> > I have tried your suggestion of extending the user_u definition
> > without success:
> > # semanage user -l
> >
> > Labeling MLS/
> > MLS/
> > SELinux User Prefix MCS Level MCS
> > Range SELinux Roles
> >
> > git_shell_u user SystemLow
> > SystemLow git_shell_r
> > guest_u user SystemLow
> > SystemLow guest_r
> > root user SystemLow SystemLow-
> > SystemHigh staff_r sysadm_r system_r unconfined_r
> > staff_u user SystemLow SystemLow-
> > SystemHigh staff_r sysadm_r system_r unconfined_r
> > sysadm_u user SystemLow SystemLow-
> > SystemHigh sysadm_r
> > system_u user SystemLow SystemLow-
> > SystemHigh system_r unconfined_r
> > unconfined_u user SystemLow SystemLow-
> > SystemHigh system_r unconfined_r
> > user_u user SystemLow
> > SystemLow user_r
> > xguest_u user SystemLow
> > SystemLow xguest_r
> > # semanage user -m -r s0:c0.c1023 user_u
> > # semanage user -l
> >
> > Labeling MLS/
> > MLS/
> > SELinux User Prefix MCS Level MCS
> > Range SELinux Roles
> >
> > git_shell_u user SystemLow
> > SystemLow git_shell_r
> > guest_u user SystemLow
> > SystemLow guest_r
> > root user SystemLow SystemLow-
> > SystemHigh staff_r sysadm_r system_r unconfined_r
> > staff_u user SystemLow SystemLow-
> > SystemHigh staff_r sysadm_r system_r unconfined_r
> > sysadm_u user SystemLow SystemLow-
> > SystemHigh sysadm_r
> > system_u user SystemLow SystemLow-
> > SystemHigh system_r unconfined_r
> > unconfined_u user SystemLow SystemLow-
> > SystemHigh system_r unconfined_r
> > user_u user SystemLow
> > SystemHigh user_r
> > xguest_u user SystemLow
> > SystemLow xguest_r
> > # useradd kate
> > # passwd kate
> > Changing password for user kate.
> > New password:
> > Retype new password:
> > passwd: all authentication tokens updated successfully.
> > # semanage login -a kate
> > libsemanage.validate_handler: MLS range s0 for Unix user
> > regularuser exceeds allowed range s0:c0.c1023 for SELinux user
> > user_u (No such file or directory).
> > libsemanage.validate_handler: seuser mapping [regularuser ->
> > (user_u, s0)] is invalid (No such file or directory).
> > libsemanage.dbase_llist_iterate: could not iterate over records (No
> > such file or directory).
> > /usr/sbin/semanage: Could not commit semanage transaction
> > I would greatly appreciate any other hints to make this work.
> > Regards,
> > Bill
> > On 5/23/2017 8:42 PM, Philip Seeley wrote:
> > Hi Bill,
> >
> > This is probably because the default RHEL6 configuration does not
> > include any categories in the user_u SELinux user's range:
> >
> > # semanage user -l
> >
> > Labeling MLS/ MLS/
> >
> > SELinux User Prefix MCS Level MCS Range
> > SELinux Roles
> >
> > guest_u user s0 s0
> > guest_r
> > root user s0 s0-s0:c0.c1023
> > staff_r sysadm_r system_r unconfined_r
> > staff_u user s0 s0-s0:c0.c1023
> > staff_r sysadm_r system_r unconfined_r
> > sysadm_u user s0 s0-s0:c0.c1023
> > sysadm_r
> > system_u user s0 s0-s0:c0.c1023
> > system_r unconfined_r
> > unconfined_u user s0 s0-s0:c0.c1023
> > system_r unconfined_r
> > user_u user s0 s0
> > user_r
> >
> > You probably have to extend the user definition to include the
> > categories you're using. As an example, this gives all categories:
> >
> > # semanage user -m -r s0:c0.c1023 user_u
> >
> > # semanage user -l
> >
> > Labeling MLS/ MLS/
> >
> > SELinux User Prefix MCS Level MCS Range
> > SELinux Roles
> >
> > guest_u user s0 s0
> > guest_r
> > root user s0 s0-s0:c0.c1023
> > staff_r sysadm_r system_r unconfined_r
> > staff_u user s0 s0-s0:c0.c1023
> > staff_r sysadm_r system_r unconfined_r
> > sysadm_u user s0 s0-s0:c0.c1023
> > sysadm_r
> > system_u user s0 s0-s0:c0.c1023
> > system_r unconfined_r
> > unconfined_u user s0 s0-s0:c0.c1023
> > system_r unconfined_r
> > user_u user s0 s0:c0.c1023
> > user_r
> >
> > Hope that helps.
> >
> > Phil
> >
> >
> > Bill Durant ---24/05/2017 12:34:53---Hello Phil: Thank you for the
> > suggestion. I have tried the steps from the URL that
> >
> > From: Bill Durant <littus@xxxxxxxxxx>
> > To: Philip Seeley <pseeley@xxxxxxxxxxx>
> > Cc: littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > Date: 24/05/2017 12:34
> > Subject: Re: Controlling execution of Java JAR files with SELinux
> > RBAC
> >
> >
> >
> > Hello Phil:
> > Thank you for the suggestion. I have tried the steps from the URL
> > that you provided without success.
> > I get an error when I try to assign Linux user mary to an SELinux
> > login as follows:
> > # cat /etc/redhat-release
> > CentOS release 6.9 (Final)
> >
> > ;;; Add "s0:c0=NetworkAdministrator" and "s0:c1=Operator" to
> > /etc/selinux/targeted/setrans.conf
> >
> > # cat /etc/selinux/targeted/setrans.conf
> > #
> > # Multi-Category Security translation table for SELinux
> > #
> > # Uncomment the following to disable translation libary
> > # disable=1
> > #
> > # Objects can be categorized with 0-1023 categories defined by the
> > admin.
> > # Objects can be in more than one category at a time.
> > # Categories are stored in the system as c0-c1023. Users can use
> > this
> > # table to translate the categories into a more meaningful output.
> > # Examples:
> > # s0:c0=CompanyConfidential
> > # s0:c1=PatientRecord
> > # s0:c2=Unclassified
> > # s0:c3=TopSecret
> > # s0:c1,c3=CompanyConfidentialRedHat
> > s0:c0=NetworkAdministrator
> > s0:c1=Operator
> > s0=SystemLow
> > s0-s0:c0.c1023=SystemLow-SystemHigh
> > s0:c0.c1023=SystemHigh
> >
> > # service mcstrans start
> >
> > # chcat -L
> > s0:c0 NetworkAdministrator
> > s0:c1 Operator
> > s0 SystemLow
> > s0-s0:c0.c1023 SystemLow-SystemHigh
> > s0:c0.c1023 SystemHigh
> >
> >
> > # useradd mary
> > # passwd mary
> > Changing password for user mary.
> > New password:
> > Retype new password:
> > passwd: all authentication tokens updated successfully.
> >
> > # semanage login -a mary
> >
> > # chcat -l -- +NetworkAdministrator mary
> > libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user mary
> > exceeds allowed range s0 for SELinux user user_u (No such file or
> > directory).
> > libsemanage.validate_handler: seuser mapping [mary -> (user_u, s0-
> > s0:c0)] is invalid (No such file or directory).
> > libsemanage.dbase_llist_iterate: could not iterate over records (No
> > such file or directory).
> > /usr/sbin/semanage: Could not commit semanage transaction
> > I would appreciate any hints on how to resolve that error.
> > Thanks!
> > Bill
> >
> > On 05/23/2017 05:49 PM, Philip Seeley wrote:
> > Hi Bill,
> >
> > Have you thought about using categories?
> >
> > https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-g
> > etstarted.html
> >
> > Cheers
> >
> > Phil
> >
> > Bill D ---24/05/2017 09:52:00---Greetings: I have been trying to
> > figure out how to control the execution of Java
> >
> > From: Bill D <littus@xxxxxxxxxx>
> > To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > Cc: littus@xxxxxxxxxx
> > Date: 24/05/2017 09:52
> > Subject: Controlling execution of Java JAR files with SELinux RBAC
> >
> >
> >
> > Greetings:
> >
> > I have been trying to figure out how to control the execution of
> > Java
> > JAR files with SELinux RBAC.
> >
> > I have two Linux users named joe and mary and two Java JAR files
> > named
> > jack.jar and mary.jar.
> >
> > Here is how jack executes jack.jar: java -jar jack.jar
> >
> > Here is how mary executes mary.jar: java -jar mary.jar
> >
> > I would like SELinux RBAC to prevent jack from executing mary.jar
> > and
> > prevent mary from executing jack.jar.
> >
> > How to configure SELinux RBAC to make that happen?
> >
> > I have tried various approaches without success. I have also tried
> > the
> > steps in http://forums.fedoraforum.org/archive/index.php/t-222938.h
> > tml
> > without success.
> >
> > I would greatly appreciate any hints.
> >
> > Regards,
> >
> > Bill
> >
> >
> > _______________________________________________
> > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to selinux-leave@lists.fedoraproject.o
> > rg
> >
> >
> >
> >
> >
> > _______________________________________________
> > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to selinux-leave@lists.fedoraproject.o
> > rg
> >
> >
> >
> >
> >
>
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
