Re: CentOS7 SELinux doesn't seem to adhere to MCS categories

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 21, 2018 at 10:11:11AM +0100, Lukas Prediger wrote:
> Hello everyone!
> 
> I am having some issues with SELinux Multi Category Security on CentOS7
> and have been redirected to this mailing list by the folks at
> centos.org/forums (as response to my question there [0]).
> 
> My problem is the following:
> Running CentOS7 64bit with SELinux in enforcing mode in targeted policy,
> I noticed that a file that is assigned to a certain SELinux MCS (Multi
> Category Security) category can be read by a user who is not assigned to
> that category, indicating that MCS isn't working properly.
> 
> More specifically, I have users
> john | mcsuser_u | s0-s0:c122
> jane | mcsuser_u | s0-s0:c123
> 
> with
> mcsuser_u | MLS/MCS Level: s0 | MLS/MCS Range: s0-s0:c0.c1023 | SELinux
> Roles: user_r
> 
> and a file
> -rw-rw-r-- john john mcsuser_u:object_r:user_home_t:s0:c122 johntext
> 
> I would expect that user jane is unable to read the file since she is
> not member of the c122 category. However, running cat johntext as jane
> prints the contents of the file without problem. This indicates to me
> that MCS rules are not adhered to.
> 
> I tested the same setup on CentOS 6.9, where everything behaves as I
> would expect (i.e., invoking cat johntext as jane results in a permssion
> denied error).
> 
> Since I was unable to find documentation on a major change in
> policy/configuration regarding SELinux from version 6.9 to 7, I am
> somewhat confused by this. Am I making an obvious mistake or is this a
> bug? If the latter, is it CentOS related or was it some change in
> SELinux policies that I did not find documentation on which are present
> in the latest versions of CentOS but not in 6.9?
>

It seems like a similar problem which was already discussed in this list
https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/G7TNUJZM2FYRQ3TQ7IL3D5QSLXOJAPW4/

If your mcsuser_u maps to user_t you probably need to make user_t mcs
constrained, see the link above.

Petr



> Any advice would be very welcome.
> 
> I also posted a more verbose version of this question already on
> serverfault.com [1], in case a more detailed listing of my steps is
> required.
> 
> Thank you very much in advance.
> 
> Best regards,
> Lukas P.
> 
> [0]:
> https://www.centos.org/forums/viewtopic.php?f=51&t=66406&sid=31bd377019d7f826e2d76359ca88fc41
> [1]:
> https://serverfault.com/questions/901575/centos7-selinux-doesnt-seem-to-adhere-to-mcs-categories
> 
> PS: I sent this mail once already last week but didn't get a reply and
> it doesn't appear in the archives
> [https://lists.fedoraproject.org/archives/], so I'm assuming it got lost
> (maybe because I sent it before subscribing to the list..). If it's a
> duplicate, please disregard (but maybe point me to / forward me the
> responses..)
> 

> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx

Attachment: signature.asc
Description: PGP signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux