Re: Controlling execution of Java JAR files with SELinux RBAC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Bill,

My understanding was that the "user" range was the possible range and the "login" range was what was allowed for a user.

I think this is actually wrong, as in CentOS6/RHEL6 you seem to be restricted to the context you login with and get a "process.transition" denial if a user_t tries to change their context, e.g. with runcon:

[jack@centos6 ~]$ runcon -l s0:c1 bash
runcon: bash: Permission denied

This doesn't seem to be the case for later versions, specifically Fedora 25 that I've tried with. In this case you seem to need different SELinux users:

[root@laptop ~]# semanage user -a -R user_r -r s0:c0 jack_u
[root@laptop ~]# semanage user -a -R user_r -r s0:c1 mary_u

[root@laptop ~]# semanage login -a -s jack_u -r s0:c0 jack
[root@laptop ~]# semanage login -a -s mary_u -r s0:c1 mary

Then you can't change the context due to it being invalid:

[jack@centos6 ~]$ id
uid=500(jack) gid=500(jack) groups=500(jack) context=jack_u:user_r:user_t:s0:c0
[jack@centos6 ~]$ runcon -l s0:c1 bash
runcon: invalid context: jack_u:user_r:user_t:s0:c1: Invalid argument

This latter approach worked for me on all versions of the OS and I would say is the more correct approach.

Hope that helps.

Phil


Inactive hide details for Bill D ---31/05/2017 09:50:15---Hello Phil: Thank you for the information and the explanation of the Bill D ---31/05/2017 09:50:15---Hello Phil: Thank you for the information and the explanation of the "+" option--it

From: Bill D <littus@xxxxxxxxxx>
To: Philip Seeley <pseeley@xxxxxxxxxxx>
Cc: littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx
Date: 31/05/2017 09:50
Subject: Re: Controlling execution of Java JAR files with SELinux RBAC





Hello Phil:

Thank you for the information and the explanation of the "+" option--it makes sense.

I have one concern... Notice that initially user_u's MCS settings is s0 which I believe it is the lowest category.

But in order to set up new categories for constraining access to JAR files, we must change user_u's MCS settings to s0-s0:c0.c1023 with the following command:

# semanage user -m -r s0-s0:c0.c1023 user_u

Doesn't it mean that we are elevating user_u's category privileges? 

Is it possible to attain the desired effect without having to elevate user_u's category privileges?

Thank you & Best Regards,

Bill

On 05/29/2017 08:27 PM, Philip Seeley wrote:

      Hi Bill,

      Good news.


      The "+" will add to any existing categories already given to the login, which in your initial case was SystemLow-SystemHigh, so had no effect. If it was initially SystemLow then it would have done the desired thing.


      For platforms newer than CentOS6/RHEL6, then you can make the user_t domain MCS constrained with:


      [root@laptop ~]# cat mcsconstrainedusers.te
      policy_module(mcsconstrainedusers, 1.0.0)


      gen_require(`
        type user_t;
      ')


      mcs_constrained(user_t);


      Compiling this under Fedora 25 gave a bunch of warnings, but the module installed OK and gave the desired effect. I've not had time to look into the warnings, sorry.


      [root@laptop ~]# make -f /usr/share/selinux/devel/Makefile
      /usr/share/selinux/devel/include/contrib/container.if:14: Error: duplicate definition of container_runtime_domtrans(). Original definition on 14.
      /usr/share/selinux/devel/include/contrib/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40.
      <snip>...
      /usr/share/selinux/devel/include/contrib/container.if:589: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 589.
      /usr/share/selinux/devel/include/contrib/container.if:603: Error: duplicate definition of container_spc_read_state(). Original definition on 603.
      Compiling targeted mcsconstrainedusers module
      /usr/bin/checkmodule:  loading policy configuration from tmp/mcsconstrainedusers.tmp
      /usr/bin/checkmodule:  policy configuration loaded
      /usr/bin/checkmodule:  writing binary representation (version 17) to tmp/mcsconstrainedusers.mod
      Creating targeted mcsconstrainedusers.pp policy package
      rm tmp/mcsconstrainedusers.mod tmp/mcsconstrainedusers.mod.fc


      [root@laptop ~]# semodule -i mcsconstrainedusers.pp
      [root@laptop ~]#


      Cheers


      Phil




      Inactive
          hide details for Bill Durant ---30/05/2017 07:01:42---Hello
          Phil: Setting the categories instead of adding them with tBill Durant ---30/05/2017 07:01:42---Hello Phil: Setting the categories instead of adding them with the "+" worked!

      From:
      Bill Durant <littus@xxxxxxxxxx>
      To:
      Philip Seeley <pseeley@xxxxxxxxxxx>
      Cc:
      littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx
      Date:
      30/05/2017 07:01
      Subject:
      Re: Controlling execution of Java JAR files with SELinux RBAC





      Hello Phil:

      Setting the categories instead of adding them with the "+" worked!

      So it sounds like the chcat "+" option is not working as expected on CentOS 6.9.  Do you concur?

      Thank you for your help Phil.

      The following series of steps show that it now works as expected:

      # uname -a

      Linux es300h 2.6.32-696.1.1.el6.x86_64 #1 SMP Tue Apr 11 17:13:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

      # cat /etc/redhat-release
      CentOS release 6.9 (Final)

      # semanage user -l

                      Labeling   MLS/       MLS/                         
      SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

      git_shell_u     user       s0         s0                             git_shell_r
      green_u         user       s0         s0                             green_r
      guest_u         user       s0         s0                             guest_r
      red_u           user       s0         s0                             red_r
      root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
      staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
      sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
      system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
      unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
      user_u          user       s0         s0                             user_r
      xguest_u        user       s0         s0                             xguest_r

      # semanage user -m -r s0-s0:c0.c1023 user_u

      # semanage user -l

                      Labeling   MLS/       MLS/                         
      SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

      git_shell_u     user       s0         s0                             git_shell_r
      green_u         user       s0         s0                             green_r
      guest_u         user       s0         s0                             guest_r
      red_u           user       s0         s0                             red_r
      root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
      staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
      sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
      system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
      unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
      user_u          user       s0         s0-s0:c0.c1023                 user_r
      xguest_u        user       s0         s0                             xguest_r

      # cat /etc/selinux/targeted/setrans.conf
      #
      # Multi-Category Security translation table for SELinux
      #
      # Uncomment the following to disable translation libary
      # disable=1
      #
      # Objects can be categorized with 0-1023 categories defined by the admin.
      # Objects can be in more than one category at a time.
      # Categories are stored in the system as c0-c1023.  Users can use this
      # table to translate the categories into a more meaningful output.
      # Examples:
      # s0:c0=CompanyConfidential
      # s0:c1=PatientRecord
      # s0:c2=Unclassified
      # s0:c3=TopSecret
      # s0:c1,c3=CompanyConfidentialRedHat
      s0:c0=NetworkAdministrator
      s0:c1=Operator
      s0=SystemLow
      s0-s0:c0.c1023=SystemLow-SystemHigh
      s0:c0.c1023=SystemHigh

      # service mcstrans restart
      Stopping mcstransd:                                        [  OK  ]
      Starting mcstransd:                                        [  OK  ]

      # chcat -L
      s0:c0                          NetworkAdministrator
      s0:c1                          Operator
      s0                             SystemLow
      s0-s0:c0.c1023                 SystemLow-SystemHigh
      s0:c0.c1023                    SystemHigh

      # useradd foo

      # useradd bar

      # passwd foo
      Changing password for user foo.
      New password:
      Retype new password:
      passwd: all authentication tokens updated successfully.

      # passwd bar
      Changing password for user bar.
      New password:
      Retype new password:
      passwd: all authentication tokens updated successfully.

      # semanage login -a foo

      # semanage login -a bar

      # chcat -l -- c0 foo

      # chcat -l -- c1 bar

      # semanage login -l

      Login Name                SELinux User              MLS/MCS Range           

      __default__               unconfined_u              SystemLow-SystemHigh    
      bar                       user_u                    SystemLow-Operator      
      foo                       user_u                    SystemLow-NetworkAdministrator
      root                      unconfined_u              SystemLow-SystemHigh    
      system_u                  system_u                  SystemLow-SystemHigh    

      # chcat -L -l foo bar
      foo: NetworkAdministrator
      bar: Operator

      # chcat -- +NetworkAdministrator /usr/local/soup/bin/foo.jar

      # ls -Z /usr/local/soup/bin/foo.jar
      -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/foo.jar

      Now as the Linux user, foo, it works as expected:

      $ whoami
      foo

      $ id -Z
      user_u:user_r:user_t:SystemLow-NetworkAdministrator

      $ java -jar /usr/local/soup/bin/foo.jar

      Hello from the foo application

      Now as the Linux user, bar, it also works as expected:

      $ whoami
      bar

      $ id -Z
      user_u:user_r:user_t:SystemLow-Operator

      $ java -jar /usr/local/soup/bin/foo.jar
      Error: Unable to access jarfile /usr/local/soup/bin/foo.jar

      Regards,

      Bill

      On 05/28/2017 05:22 PM, Philip Seeley wrote:

              Hi Bill,

              I saw in a previous post that you were using CentOS 6.9 so this should work for you. It looks like the login configuration is not quite right as both users are showing SystemLow-SystemHigh when they logon.

              Check the login config shows they only have the categories they need, i.e. jack has c0 and mary has c1.

              If they're not correct try setting the categories rather than adding to them with a "+":

              [root@centos6 ~]# chcat -l -- c0 jack
              [root@centos6 ~]# chcat -l -- c1 mary

              [root@centos6 ~]# semanage login -l

              Login Name                SELinux User              MLS/MCS Range            

              __default__               unconfined_u              s0-s0:c0.c1023          
              jack                      user_u                    s0-s0:c0                
              mary                      user_u                    s0-s0:c1                
              root                      unconfined_u              s0-s0:c0.c1023          
              system_u                  system_u                  s0-s0:c0.c1023          

              Then with:

              # ll -Z /usr/local/bin/
              -rw-r--r--. root root unconfined_u:object_r:bin_t:s0:c0 jack
              -rw-r--r--. root root unconfined_u:object_r:bin_t:s0:c1 mary
              [root@centos6 ~]# cat /etc/system-release
              CentOS release 6.9 (Final)

              as jack:

              [jack@centos6 ~]$ id
              uid=500(jack) gid=500(jack) groups=500(jack) context=user_u:user_r:user_t:s0-s0:c0
              [jack@centos6 ~]$ cat /usr/local/bin/jack
              Hi
              [jack@centos6 ~]$ cat /usr/local/bin/mary
              cat: /usr/local/bin/mary: Permission denied

              and as mary:

              [mary@centos6 ~]$ id
              uid=501(mary) gid=501(mary) groups=501(mary) context=user_u:user_r:user_t:s0-s0:c1
              [mary@centos6 ~]$ cat /usr/local/bin/jack
              cat: /usr/local/bin/jack: Permission denied
              [mary@centos6 ~]$ cat /usr/local/bin/mary
              Hi


              Cheers

              Phil


              Inactive hide details for Bill D ---26/05/2017
            05:19:44---Hello Phil: Thank you for the response. Your
            suggested fix resolved Bill D ---26/05/2017 05:19:44---Hello Phil: Thank you for the response. Your suggested fix resolved the error.

              From:
              Bill D <littus@xxxxxxxxxx>
              To:
              Philip Seeley <pseeley@xxxxxxxxxxx>
              Cc:
              littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx
              Date:
              26/05/2017 05:19
              Subject:
              Re: Controlling execution of Java JAR files with SELinux RBAC



              Hello Phil:

              Thank you for the response.  Your suggested fix resolved the error.

              However, I am unable to get the desired effect.

              I am not able to prevent a Linux user from running/accessing a Java JAR file using SELinux categories.

              I would appreciate any other hints to make this work.

              Following are the details of what I did:

              # semanage user -l

                              Labeling   MLS/       MLS/                         
              SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

              git_shell_u     user       SystemLow  SystemLow                      git_shell_r
              guest_u         user       SystemLow  SystemLow                      guest_r
              root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
              staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
              sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
              system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
              unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
              user_u          user       SystemLow  SystemLow                      user_r
              xguest_u        user       SystemLow  SystemLow                      xguest_r

              # semanage user -m -r s0-s0:c0.c1023 user_u

              # semanage user -l

                              Labeling   MLS/       MLS/                         
              SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

              git_shell_u     user       SystemLow  SystemLow                      git_shell_r
              guest_u         user       SystemLow  SystemLow                      guest_r
              root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
              staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
              sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
              system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
              unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
              user_u          user       SystemLow  SystemLow-SystemHigh           user_r
              xguest_u        user       SystemLow  SystemLow                      xguest_r


              # cat setrans.conf

              #
              # Multi-Category Security translation table for SELinux
              #
              # Uncomment the following to disable translation libary
              # disable=1
              #
              # Objects can be categorized with 0-1023 categories defined by the admin.
              # Objects can be in more than one category at a time.
              # Categories are stored in the system as c0-c1023.  Users can use this
              # table to translate the categories into a more meaningful output.
              # Examples:
              # s0:c0=CompanyConfidential
              # s0:c1=PatientRecord
              # s0:c2=Unclassified
              # s0:c3=TopSecret
              # s0:c1,c3=CompanyConfidentialRedHat
              s0:c0=NetworkAdministrator
              s0:c1=Operator
              s0=SystemLow
              s0-s0:c0.c1023=SystemLow-SystemHigh
              s0:c0.c1023=SystemHigh

              # service mcstrans restart
              Stopping mcstransd:                                        [  OK  ]
              Starting mcstransd:                                        [  OK  ]

              # chcat -L
              s0:c0                          NetworkAdministrator
              s0:c1                          Operator
              s0                             SystemLow
              s0-s0:c0.c1023                 SystemLow-SystemHigh
              s0:c0.c1023                    SystemHigh

              # useradd foo

              # useradd bar

              # passwd foo
              Changing password for user foo.
              New password:
              Retype new password:
              passwd: all authentication tokens updated successfully.

              # passwd bar
              Changing password for user bar.
              New password:
              Retype new password:
              passwd: all authentication tokens updated successfully.

              # semanage login -a foo

              # semanage login -a bar

              # chcat -l -- +NetworkAdministrator foo

              # chcat -l -- +Operator bar

              # chcat -L -l bar foo
              bar: s0:c0.c1023,c1    <===== why is it not just s0:c1?
              foo: s0:c0.c1023,c0    <===== why is it not just just s0:c0?

              # chcat -- +NetworkAdministrator /usr/local/soup/bin/Foo.jar

              # ls -Z /usr/local/soup/bin/Foo.jar
              -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar

              Now Login as the 'foo' Linux user and notice that it can run Foo.jar as expected

              $ whoami
              foo

              $ id -Z
              user_u:user_r:user_t:SystemLow-SystemHigh

              $ ls -Z /usr/local/soup/bin/Foo.jar
              -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar

              $ java -jar /usr/local/soup/bin/Foo.jar
              Hello Foo

              Now login as the 'bar' Linux user and notice that it can also run Foo.jar which is NOT expected

              $ whoami
              bar

              $ id -Z
              user_u:user_r:user_t:SystemLow-SystemHigh

              $ ls -Z /usr/local/soup/bin/Foo.jar
              -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar

              $ java -jar /usr/local/soup/bin/Foo.jar
              Hello Foo

              Why is Linux user 'bar' able to run/access Foo.jar when its category doesn't match Foo.jar's category?

              Following is how to create the Foo.jar file:

              $ cat Foo.java
              public class Foo {
                  public static void main(String[] args) {
                      System.out.println("Hello Foo");
                  }
              }

              $ cat manifest.txt
              Main-Class:

              $ javac Foo.java

              $ jar cvfe Foo.jar Foo Foo.class
              added manifest
              adding: Foo.class(in = 409) (out= 282)(deflated 31%)

              Best Regards,

              Bill

              On 05/24/2017 04:39 PM, Philip Seeley wrote:
                              Hi Bill,

                              I think this was my mistake in transcribing. The user_u line after the "semanage user -m" command should be:

                              user_u          user       SystemLow  SystemLow-SystemHigh                      user_r

                              So the command should have been:

                              semanage user -m -r s0-s0:c0.c1023 user_u

                              Or even:

                              semanage user -m -r SystemLow-SystemHigh user_u

                              Appologies for that.

                              Phil


                              Inactive hide details for Bill D
                      ---25/05/2017 02:28:19---Hello Phil, I have tried
                      your suggestion of extending the user_u defiBill D ---25/05/2017 02:28:19---Hello Phil, I have tried your suggestion of extending the user_u definition without

                              From:
                              Bill D <littus@xxxxxxxxxx>
                              To:
                              Philip Seeley <pseeley@xxxxxxxxxxx>
                              Cc:
                              littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx
                              Date:
                              25/05/2017 02:28
                              Subject:
                              Re: Controlling execution of Java JAR files with SELinux RBAC





                              Hello Phil,

                              I have tried your suggestion of extending the user_u definition without success:

                              # semanage user -l

                                              Labeling   MLS/       MLS/                         
                              SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

                              git_shell_u     user       SystemLow  SystemLow                      git_shell_r
                              guest_u         user       SystemLow  SystemLow                      guest_r
                              root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
                              staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
                              sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
                              system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
                              unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
                              user_u          user       SystemLow  SystemLow                      user_r
                              xguest_u        user       SystemLow  SystemLow                      xguest_r

                              # semanage user -m -r s0:c0.c1023 user_u

                              # semanage user -l

                                              Labeling   MLS/       MLS/                         
                              SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

                              git_shell_u     user       SystemLow  SystemLow                      git_shell_r
                              guest_u         user       SystemLow  SystemLow                      guest_r
                              root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
                              staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
                              sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
                              system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
                              unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
                              user_u          user       SystemLow  SystemHigh                     user_r
                              xguest_u        user       SystemLow  SystemLow                      xguest_r

                              # useradd kate

                              # passwd kate
                              Changing password for user kate.
                              New password:
                              Retype new password:
                              passwd: all authentication tokens updated successfully.

                              # semanage login -a kate
                              libsemanage.validate_handler: MLS range s0 for Unix user regularuser exceeds allowed range s0:c0.c1023 for SELinux user user_u (No such file or directory).
                              libsemanage.validate_handler: seuser mapping [regularuser -> (user_u, s0)] is invalid (No such file or directory).
                              libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
                              /usr/sbin/semanage: Could not commit semanage transaction

                              I would greatly appreciate any other hints to make this work.

                              Regards,

                              Bill

                              On 5/23/2017 8:42 PM, Philip Seeley wrote:

                                                              Hi Bill,

                                                              This is probably because the default RHEL6 configuration does not include any categories in the user_u SELinux user's range:


                                                              # semanage user -l

                                                                              Labeling   MLS/       MLS/                          
                                                              SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

                                                              guest_u         user       s0         s0                             guest_r
                                                              root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
                                                              staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
                                                              sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
                                                              system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
                                                              unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
                                                              user_u          user       s0         s0                             user_r


                                                              You probably have to extend the user definition to include the categories you're using. As an example, this gives all categories:


                                                              # semanage user -m -r s0:c0.c1023 user_u

                                                              # semanage user -l

                                                                              Labeling   MLS/       MLS/                          
                                                              SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

                                                              guest_u         user       s0         s0                             guest_r
                                                              root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
                                                              staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
                                                              sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
                                                              system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
                                                              unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
                                                              user_u          user       s0         s0:c0.c1023                    user_r


                                                              Hope that helps.

                                                              Phil



                                                              Inactive hide details for Bill
                                    Durant ---24/05/2017
                                    12:34:53---Hello Phil: Thank you for
                                    the suggestion. I have tried the
                                    stepBill Durant ---24/05/2017 12:34:53---Hello Phil: Thank you for the suggestion. I have tried the steps from the URL that

                                                              From:
                                                              Bill Durant <littus@xxxxxxxxxx>
                                                              To:
                                                              Philip Seeley <pseeley@xxxxxxxxxxx>
                                                              Cc:
                                                              littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx
                                                              Date:
                                                              24/05/2017 12:34
                                                              Subject:
                                                              Re: Controlling execution of Java JAR files with SELinux RBAC



                                                              Hello Phil:

                                                              Thank you for the suggestion.  I have tried the steps from the URL that you provided without success.

                                                              I get an error when I try to assign Linux user mary to an SELinux login as follows:

                                                              # cat /etc/redhat-release
                                                              CentOS release 6.9 (Final)

                                                              ;;; Add "s0:c0=NetworkAdministrator" and "s0:c1=Operator" to /etc/selinux/targeted/setrans.conf

                                                              # cat /etc/selinux/targeted/setrans.conf
                                                              #
                                                              # Multi-Category Security translation table for SELinux
                                                              #
                                                              # Uncomment the following to disable translation libary
                                                              # disable=1
                                                              #
                                                              # Objects can be categorized with 0-1023 categories defined by the admin.
                                                              # Objects can be in more than one category at a time.
                                                              # Categories are stored in the system as c0-c1023.  Users can use this
                                                              # table to translate the categories into a more meaningful output.
                                                              # Examples:
                                                              # s0:c0=CompanyConfidential
                                                              # s0:c1=PatientRecord
                                                              # s0:c2=Unclassified
                                                              # s0:c3=TopSecret
                                                              # s0:c1,c3=CompanyConfidentialRedHat
                                                              s0:c0=NetworkAdministrator
                                                              s0:c1=Operator
                                                              s0=SystemLow
                                                              s0-s0:c0.c1023=SystemLow-SystemHigh
                                                              s0:c0.c1023=SystemHigh

                                                              # service mcstrans start

                                                              # chcat -L
                                                              s0:c0                          NetworkAdministrator
                                                              s0:c1                          Operator
                                                              s0                             SystemLow
                                                              s0-s0:c0.c1023                 SystemLow-SystemHigh
                                                              s0:c0.c1023                    SystemHigh


                                                              # useradd mary
                                                              # passwd mary
                                                              Changing password for user mary.
                                                              New password:
                                                              Retype new password:
                                                              passwd: all authentication tokens updated successfully.

                                                              # semanage login -a mary

                                                              # chcat -l -- +NetworkAdministrator mary
                                                              libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user mary exceeds allowed range s0 for SELinux user user_u (No such file or directory).
                                                              libsemanage.validate_handler: seuser mapping [mary -> (user_u, s0-s0:c0)] is invalid (No such file or directory).
                                                              libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
                                                              /usr/sbin/semanage: Could not commit semanage transaction

                                                              I would appreciate any hints on how to resolve that error.

                                                              Thanks!

                                                              Bill


                                                              On 05/23/2017 05:49 PM, Philip Seeley wrote:







      _______________________________________________
      selinux mailing list --
      selinux@xxxxxxxxxxxxxxxxxxxxxxx
      To unsubscribe send an email to
      selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx



_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux