On Wed, Mar 21, 2018 at 10:11:11AM +0100, Lukas Prediger wrote: > Hello everyone! > > I am having some issues with SELinux Multi Category Security on CentOS7 > and have been redirected to this mailing list by the folks at > centos.org/forums (as response to my question there [0]). > > My problem is the following: > Running CentOS7 64bit with SELinux in enforcing mode in targeted policy, > I noticed that a file that is assigned to a certain SELinux MCS (Multi > Category Security) category can be read by a user who is not assigned to > that category, indicating that MCS isn't working properly. > > More specifically, I have users > john | mcsuser_u | s0-s0:c122 > jane | mcsuser_u | s0-s0:c123 > > with > mcsuser_u | MLS/MCS Level: s0 | MLS/MCS Range: s0-s0:c0.c1023 | SELinux > Roles: user_r > > and a file > -rw-rw-r-- john john mcsuser_u:object_r:user_home_t:s0:c122 johntext > > I would expect that user jane is unable to read the file since she is > not member of the c122 category. However, running cat johntext as jane > prints the contents of the file without problem. This indicates to me > that MCS rules are not adhered to. > > I tested the same setup on CentOS 6.9, where everything behaves as I > would expect (i.e., invoking cat johntext as jane results in a permssion > denied error). > > Since I was unable to find documentation on a major change in > policy/configuration regarding SELinux from version 6.9 to 7, I am > somewhat confused by this. Am I making an obvious mistake or is this a > bug? If the latter, is it CentOS related or was it some change in > SELinux policies that I did not find documentation on which are present > in the latest versions of CentOS but not in 6.9? > It seems like a similar problem which was already discussed in this list https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/G7TNUJZM2FYRQ3TQ7IL3D5QSLXOJAPW4/ If your mcsuser_u maps to user_t you probably need to make user_t mcs constrained, see the link above. Petr > Any advice would be very welcome. > > I also posted a more verbose version of this question already on > serverfault.com [1], in case a more detailed listing of my steps is > required. > > Thank you very much in advance. > > Best regards, > Lukas P. > > [0]: > https://www.centos.org/forums/viewtopic.php?f=51&t=66406&sid=31bd377019d7f826e2d76359ca88fc41 > [1]: > https://serverfault.com/questions/901575/centos7-selinux-doesnt-seem-to-adhere-to-mcs-categories > > PS: I sent this mail once already last week but didn't get a reply and > it doesn't appear in the archives > [https://lists.fedoraproject.org/archives/], so I'm assuming it got lost > (maybe because I sent it before subscribing to the list..). If it's a > duplicate, please disregard (but maybe point me to / forward me the > responses..) > > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
