Hi Bill, Hello Phil: Thank you for the information and the explanation of the "+" option--it makes sense. I have one concern... Notice that initially user_u's MCS settings is s0 which I believe it is the lowest category. But in order to set up new categories for constraining access to JAR files, we must change user_u's MCS settings to s0-s0:c0.c1023 with the following command: # semanage user -m -r s0-s0:c0.c1023 user_u Doesn't it mean that we are elevating user_u's category privileges?
Good news. The "+" will add to any existing categories already given to the login, which in your initial case was SystemLow-SystemHigh, so had no effect. If it was initially SystemLow then it would have done the desired thing. For platforms newer than CentOS6/RHEL6, then you can make the user_t domain MCS constrained with: [root@laptop ~]# cat mcsconstrainedusers.te policy_module(mcsconstrainedusers, 1.0.0) gen_require(` type user_t; ') mcs_constrained(user_t); Compiling this under Fedora 25 gave a bunch of warnings, but the module installed OK and gave the desired effect. I've not had time to look into the warnings, sorry. [root@laptop ~]# make -f /usr/share/selinux/devel/Makefile /usr/share/selinux/devel/include/contrib/container.if:14: Error: duplicate definition of container_runtime_domtrans(). Original definition on 14. /usr/share/selinux/devel/include/contrib/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40. <snip>... /usr/share/selinux/devel/include/contrib/container.if:589: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 589. /usr/share/selinux/devel/include/contrib/container.if:603: Error: duplicate definition of container_spc_read_state(). Original definition on 603. Compiling targeted mcsconstrainedusers module /usr/bin/checkmodule: loading policy configuration from tmp/mcsconstrainedusers.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/mcsconstrainedusers.mod Creating targeted mcsconstrainedusers.pp policy package rm tmp/mcsconstrainedusers.mod tmp/mcsconstrainedusers.mod.fc [root@laptop ~]# semodule -i mcsconstrainedusers.pp [root@laptop ~]# Cheers Phil Bill Durant ---30/05/2017 07:01:42---Hello Phil: Setting the categories instead of adding them with the "+" worked! From: Bill Durant <littus@xxxxxxxxxx> To: Philip Seeley <pseeley@xxxxxxxxxxx> Cc: littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx Date: 30/05/2017 07:01 Subject: Re: Controlling execution of Java JAR files with SELinux RBAC Hello Phil: Setting the categories instead of adding them with the "+" worked! So it sounds like the chcat "+" option is not working as expected on CentOS 6.9. Do you concur? Thank you for your help Phil. The following series of steps show that it now works as expected: # uname -a Linux es300h 2.6.32-696.1.1.el6.x86_64 #1 SMP Tue Apr 11 17:13:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/redhat-release # semanage user -l Bill On 05/28/2017 05:22 PM, Philip Seeley wrote:
I saw in a previous post that you were using CentOS 6.9 so this should work for you. It looks like the login configuration is not quite right as both users are showing SystemLow-SystemHigh when they logon. Check the login config shows they only have the categories they need, i.e. jack has c0 and mary has c1. If they're not correct try setting the categories rather than adding to them with a "+": [root@centos6 ~]# chcat -l -- c0 jack [root@centos6 ~]# chcat -l -- c1 mary [root@centos6 ~]# semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 jack user_u s0-s0:c0 mary user_u s0-s0:c1 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 Then with: # ll -Z /usr/local/bin/ -rw-r--r--. root root unconfined_u:object_r:bin_t:s0:c0 jack -rw-r--r--. root root unconfined_u:object_r:bin_t:s0:c1 mary [root@centos6 ~]# cat /etc/system-release CentOS release 6.9 (Final) as jack: [jack@centos6 ~]$ id uid=500(jack) gid=500(jack) groups=500(jack) context=user_u:user_r:user_t:s0-s0:c0 [jack@centos6 ~]$ cat /usr/local/bin/jack Hi [jack@centos6 ~]$ cat /usr/local/bin/mary cat: /usr/local/bin/mary: Permission denied and as mary: [mary@centos6 ~]$ id uid=501(mary) gid=501(mary) groups=501(mary) context=user_u:user_r:user_t:s0-s0:c1 [mary@centos6 ~]$ cat /usr/local/bin/jack cat: /usr/local/bin/jack: Permission denied [mary@centos6 ~]$ cat /usr/local/bin/mary Hi Cheers Phil Bill D ---26/05/2017 05:19:44---Hello Phil: Thank you for the response. Your suggested fix resolved the error. From: Bill D <littus@xxxxxxxxxx> To: Philip Seeley <pseeley@xxxxxxxxxxx> Cc: littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx Date: 26/05/2017 05:19 Subject: Re: Controlling execution of Java JAR files with SELinux RBAC Hello Phil: Thank you for the response. Your suggested fix resolved the error. However, I am unable to get the desired effect. I am not able to prevent a Linux user from running/accessing a Java JAR file using SELinux categories. I would appreciate any other hints to make this work. Following are the details of what I did: # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles git_shell_u user SystemLow SystemLow git_shell_r guest_u user SystemLow SystemLow guest_r root user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r staff_u user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r system_u user SystemLow SystemLow-SystemHigh system_r unconfined_r unconfined_u user SystemLow SystemLow-SystemHigh system_r unconfined_r user_u user SystemLow SystemLow user_r xguest_u user SystemLow SystemLow xguest_r # semanage user -m -r s0-s0:c0.c1023 user_u # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles git_shell_u user SystemLow SystemLow git_shell_r guest_u user SystemLow SystemLow guest_r root user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r staff_u user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r system_u user SystemLow SystemLow-SystemHigh system_r unconfined_r unconfined_u user SystemLow SystemLow-SystemHigh system_r unconfined_r user_u user SystemLow SystemLow-SystemHigh user_r xguest_u user SystemLow SystemLow xguest_r # cat setrans.conf # # Multi-Category Security translation table for SELinux # # Uncomment the following to disable translation libary # disable=1 # # Objects can be categorized with 0-1023 categories defined by the admin. # Objects can be in more than one category at a time. # Categories are stored in the system as c0-c1023. Users can use this # table to translate the categories into a more meaningful output. # Examples: # s0:c0=CompanyConfidential # s0:c1=PatientRecord # s0:c2=Unclassified # s0:c3=TopSecret # s0:c1,c3=CompanyConfidentialRedHat s0:c0=NetworkAdministrator s0:c1=Operator s0=SystemLow s0-s0:c0.c1023=SystemLow-SystemHigh s0:c0.c1023=SystemHigh # service mcstrans restart Stopping mcstransd: [ OK ] Starting mcstransd: [ OK ] # chcat -L s0:c0 NetworkAdministrator s0:c1 Operator s0 SystemLow s0-s0:c0.c1023 SystemLow-SystemHigh s0:c0.c1023 SystemHigh # useradd foo # useradd bar # passwd foo Changing password for user foo. New password: Retype new password: passwd: all authentication tokens updated successfully. # passwd bar Changing password for user bar. New password: Retype new password: passwd: all authentication tokens updated successfully. # semanage login -a foo # semanage login -a bar # chcat -l -- +NetworkAdministrator foo # chcat -l -- +Operator bar # chcat -L -l bar foo bar: s0:c0.c1023,c1 <===== why is it not just s0:c1? foo: s0:c0.c1023,c0 <===== why is it not just just s0:c0? # chcat -- +NetworkAdministrator /usr/local/soup/bin/Foo.jar # ls -Z /usr/local/soup/bin/Foo.jar -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar Now Login as the 'foo' Linux user and notice that it can run Foo.jar as expected $ whoami foo $ id -Z user_u:user_r:user_t:SystemLow-SystemHigh $ ls -Z /usr/local/soup/bin/Foo.jar -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar $ java -jar /usr/local/soup/bin/Foo.jar Hello Foo Now login as the 'bar' Linux user and notice that it can also run Foo.jar which is NOT expected $ whoami bar $ id -Z user_u:user_r:user_t:SystemLow-SystemHigh $ ls -Z /usr/local/soup/bin/Foo.jar -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar $ java -jar /usr/local/soup/bin/Foo.jar Hello Foo Why is Linux user 'bar' able to run/access Foo.jar when its category doesn't match Foo.jar's category? Following is how to create the Foo.jar file: $ cat Foo.java public class Foo { public static void main(String[] args) { System.out.println("Hello Foo"); } } $ cat manifest.txt Main-Class: $ javac Foo.java $ jar cvfe Foo.jar Foo Foo.class added manifest adding: Foo.class(in = 409) (out= 282)(deflated 31%) Best Regards, Bill On 05/24/2017 04:39 PM, Philip Seeley wrote:
I think this was my mistake in transcribing. The user_u line after the "semanage user -m" command should be: user_u user SystemLow SystemLow-SystemHigh user_r Hello Phil, I have tried your suggestion of extending the user_u definition without success: # semanage user -l # semanage user -m -r s0:c0.c1023 user_u # semanage user -l # useradd kate # passwd kate # semanage login -a kate I would greatly appreciate any other hints to make this work. Regards, Bill On 5/23/2017 8:42 PM, Philip Seeley wrote:
This is probably because the default RHEL6 configuration does not include any categories in the user_u SELinux user's range: # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r You probably have to extend the user definition to include the categories you're using. As an example, this gives all categories: # semanage user -m -r s0:c0.c1023 user_u # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0:c0.c1023 user_r Hope that helps. Phil Bill Durant ---24/05/2017 12:34:53---Hello Phil: Thank you for the suggestion. I have tried the steps from the URL that From: Bill Durant <littus@xxxxxxxxxx> To: Philip Seeley <pseeley@xxxxxxxxxxx> Cc: littus@xxxxxxxxxx, selinux@xxxxxxxxxxxxxxxxxxxxxxx Date: 24/05/2017 12:34 Subject: Re: Controlling execution of Java JAR files with SELinux RBAC Hello Phil: Thank you for the suggestion. I have tried the steps from the URL that you provided without success. I get an error when I try to assign Linux user mary to an SELinux login as follows: # cat /etc/redhat-release I would appreciate any hints on how to resolve that error. Thanks! Bill
Have you thought about using categories? https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html Cheers Phil Bill D ---24/05/2017 09:52:00---Greetings: I have been trying to figure out how to control the execution of Java From: Bill D <littus@xxxxxxxxxx> To: selinux@xxxxxxxxxxxxxxxxxxxxxxx Cc: littus@xxxxxxxxxx Date: 24/05/2017 09:52 Subject: Controlling execution of Java JAR files with SELinux RBAC Greetings: I have been trying to figure out how to control the execution of Java JAR files with SELinux RBAC. I have two Linux users named joe and mary and two Java JAR files named jack.jar and mary.jar. Here is how jack executes jack.jar: java -jar jack.jar Here is how mary executes mary.jar: java -jar mary.jar I would like SELinux RBAC to prevent jack from executing mary.jar and prevent mary from executing jack.jar. How to configure SELinux RBAC to make that happen? I have tried various approaches without success. I have also tried the steps in http://forums.fedoraforum.org/archive/index.php/t-222938.html without success. I would greatly appreciate any hints. Regards, Bill _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx |
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx