Hi Bill, Hello Phil: Thank you for the response. Your suggested fix resolved the error. However, I am unable to get the desired effect. I am not able to prevent a Linux user from running/accessing a Java JAR file using SELinux categories. I would appreciate any other hints to make this work. Following are the details of what I did: # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles git_shell_u user SystemLow SystemLow git_shell_r guest_u user SystemLow SystemLow guest_r root user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r staff_u user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r system_u user SystemLow SystemLow-SystemHigh system_r unconfined_r unconfined_u user SystemLow SystemLow-SystemHigh system_r unconfined_r user_u user SystemLow SystemLow user_r xguest_u user SystemLow SystemLow xguest_r # semanage user -m -r s0-s0:c0.c1023 user_u # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles git_shell_u user SystemLow SystemLow git_shell_r guest_u user SystemLow SystemLow guest_r root user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r staff_u user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r system_u user SystemLow SystemLow-SystemHigh system_r unconfined_r unconfined_u user SystemLow SystemLow-SystemHigh system_r unconfined_r user_u user SystemLow SystemLow-SystemHigh user_r xguest_u user SystemLow SystemLow xguest_r # cat setrans.conf # # Multi-Category Security translation table for SELinux # # Uncomment the following to disable translation libary # disable=1 # # Objects can be categorized with 0-1023 categories defined by the admin. # Objects can be in more than one category at a time. # Categories are stored in the system as c0-c1023. Users can use this # table to translate the categories into a more meaningful output. # Examples: # s0:c0=CompanyConfidential # s0:c1=PatientRecord # s0:c2=Unclassified # s0:c3=TopSecret # s0:c1,c3=CompanyConfidentialRedHat s0:c0=NetworkAdministrator s0:c1=Operator s0=SystemLow s0-s0:c0.c1023=SystemLow-SystemHigh s0:c0.c1023=SystemHigh # service mcstrans restart Stopping mcstransd: [ OK ] Starting mcstransd: [ OK ] # chcat -L s0:c0 NetworkAdministrator s0:c1 Operator s0 SystemLow s0-s0:c0.c1023 SystemLow-SystemHigh s0:c0.c1023 SystemHigh # useradd foo # useradd bar # passwd foo Changing password for user foo. New password: Retype new password: passwd: all authentication tokens updated successfully. # passwd bar Changing password for user bar. New password: Retype new password: passwd: all authentication tokens updated successfully. # semanage login -a foo # semanage login -a bar # chcat -l -- +NetworkAdministrator foo # chcat -l -- +Operator bar # chcat -L -l bar foo bar: s0:c0.c1023,c1 <===== why is it not just s0:c1? foo: s0:c0.c1023,c0 <===== why is it not just just s0:c0? # chcat -- +NetworkAdministrator /usr/local/soup/bin/Foo.jar # ls -Z /usr/local/soup/bin/Foo.jar -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar Now Login as the 'foo' Linux user and notice that it can run Foo.jar as expected $ whoami foo $ id -Z user_u:user_r:user_t:SystemLow-SystemHigh $ ls -Z /usr/local/soup/bin/Foo.jar -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar $ java -jar /usr/local/soup/bin/Foo.jar Hello Foo Now login as the 'bar' Linux user and notice that it can also run Foo.jar which is NOT expected $ whoami bar $ id -Z user_u:user_r:user_t:SystemLow-SystemHigh $ ls -Z /usr/local/soup/bin/Foo.jar -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar $ java -jar /usr/local/soup/bin/Foo.jar Hello Foo Why is Linux user 'bar' able to run/access Foo.jar when its category doesn't match Foo.jar's category? Following is how to create the Foo.jar file: $ cat Foo.java public class Foo { public static void main(String[] args) { System.out.println("Hello Foo"); } } $ cat manifest.txt Main-Class: $ javac Foo.java $ jar cvfe Foo.jar Foo Foo.class added manifest adding: Foo.class(in = 409) (out= 282)(deflated 31%) Best Regards, Bill On 05/24/2017 04:39 PM, Philip Seeley wrote:
I think this was my mistake in transcribing. The user_u line after the "semanage user -m" command should be: user_u user SystemLow SystemLow-SystemHigh user_r Hello Phil, I have tried your suggestion of extending the user_u definition without success: # semanage user -l # semanage user -m -r s0:c0.c1023 user_u # semanage user -l # useradd kate # passwd kate # semanage login -a kate I would greatly appreciate any other hints to make this work. Regards, Bill On 5/23/2017 8:42 PM, Philip Seeley wrote:
This is probably because the default RHEL6 configuration does not include any categories in the user_u SELinux user's range: # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r You probably have to extend the user definition to include the categories you're using. As an example, this gives all categories: # semanage user -m -r s0:c0.c1023 user_u # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0:c0.c1023 user_r Hope that helps. Phil  Bill Durant ---24/05/2017 12:34:53---Hello Phil: Thank you for the suggestion. I have tried the steps from the URL thatFrom: Bill Durant <littus@xxxxxxxxxx> To: Philip Seeley <pseeley@xxxxxxxxxxx> Cc: littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx Date: 24/05/2017 12:34 Subject: Re: Controlling execution of Java JAR files with SELinux RBAC Hello Phil: Thank you for the suggestion. I have tried the steps from the URL that you provided without success. I get an error when I try to assign Linux user mary to an SELinux login as follows: # cat /etc/redhat-release I would appreciate any hints on how to resolve that error. Thanks! Bill
Have you thought about using categories? https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html Cheers Phil Bill D ---24/05/2017 09:52:00---Greetings: I have been trying to figure out how to control the execution of JavaFrom: Bill D <littus@xxxxxxxxxx> To: selinux@xxxxxxxxxxxxxxxxxxxxxxx Cc: littus@xxxxxxxxxx Date: 24/05/2017 09:52 Subject: Controlling execution of Java JAR files with SELinux RBAC Greetings: I have been trying to figure out how to control the execution of Java JAR files with SELinux RBAC. I have two Linux users named joe and mary and two Java JAR files named jack.jar and mary.jar. Here is how jack executes jack.jar: java -jar jack.jar Here is how mary executes mary.jar: java -jar mary.jar I would like SELinux RBAC to prevent jack from executing mary.jar and prevent mary from executing jack.jar. How to configure SELinux RBAC to make that happen? I have tried various approaches without success. I have also tried the steps in http://forums.fedoraforum.org/archive/index.php/t-222938.html without success. I would greatly appreciate any hints. Regards, Bill _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx |
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
