On Thu, Feb 19, 2015 at 12:48:41PM PST, Dominick Grift spake thusly: > cat >> mytest.te <<EOF > policy_module(mytest, 1.0,0) > gen_require(` type bla_t; attribute mcsuntrustedproc; ') > type_attribute bla_t mcsuntrustedproc; > EOF Ok, great. So I've got this policy in place for user_t and loaded: policy_module(mytest, 1.0,0) gen_require(` type user_t; attribute mcsuntrustedproc; ') typeattribute user_t mcsuntrustedproc; So I ssh to the machine and login as p16001 which is a Linux user who also has an SELinux user and is assigned category p16001: # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u SystemLow-SystemHigh p16001 p16001_u p16001 p16002 appuser_u s0:c1.c499-s0:c2 p16003 appuser_u s0:c1.c499-s0:c3 p16004 unconfined_u s0-s0:c0.c1023,c4 p16005 unconfined_u s0-s0:c0.c1023,c4,c5 p16006 unconfined_u s0-s0:c0.c1023,c6 p16007 unconfined_u s0-s0:c0.c1023,c7 p16008 unconfined_u s0-s0:c0.c1023,c8 p16009 unconfined_u s0-s0:c0.c1023,c9 root unconfined_u SystemLow-SystemHigh system_u system_u SystemLow-SystemHigh but when I try to test that it is being MCS restricted nothing gets denied: -bash-4.1$ cd /nodes/p16001/ -bash-4.1$ ls testfile -bash-4.1$ -bash-4.1$ id -Z p16001_u:user_r:user_t:p16001 -bash-4.1$ ls -laZ drwxr-xr-x. p16001 p16001 user_u:object_r:default_t:p16001 . drwxr-xr-x. root root system_u:object_r:default_t:SystemLow .. -rw-r--r--. p16001 p16001 user_u:object_r:default_t:p16001 testfile -bash-4.1$ cat testfile I am 16001 -bash-4.1$ cd ../p16002/ -bash-4.1$ ls -laZ drwxr-xr-x. p16002 p16002 user_u:object_r:default_t:p16002 . drwxr-xr-x. root root system_u:object_r:default_t:SystemLow .. -rw-r--r--. p16002 p16002 user_u:object_r:default_t:p16002 testfile -bash-4.1$ cat testfile I am 16002 to my understanding user p16001 with only category p16001 should not be able to read this file of category p16002. Also, I would really like to clean up the above MCS range for users p16002 through p16009. # First let's try to remove c4 from p16004: [mcstest:/nodes/p16001]# chcat -l -- -c4 p16004 p16004 Login Name SELinux User MLS/MCS Range __default__ unconfined_u SystemLow-SystemHigh p16001 p16001_u p16001 p16002 appuser_u s0:c1.c499-s0:c2 p16003 appuser_u s0:c1.c499-s0:c3 p16004 unconfined_u s0-s0:c0.c1023,c4 p16005 unconfined_u s0-s0:c0.c1023,c4,c5 p16006 unconfined_u s0-s0:c0.c1023,c6 p16007 unconfined_u s0-s0:c0.c1023,c7 p16008 unconfined_u s0-s0:c0.c1023,c8 p16009 unconfined_u s0-s0:c0.c1023,c9 root unconfined_u SystemLow-SystemHigh system_u system_u SystemLow-SystemHigh # That's odd, no change. Let's delete appuser_u since I probably don't need # that and want each app to run under its own p1600x user: [mcstest:/nodes/p16001]# semanage user -d appuser_u [mcstest:/nodes/p16001]# semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u SystemLow-SystemHigh p16001 p16001_u p16001 p16002 appuser_u s0:c1.c499-s0:c2 p16003 appuser_u s0:c1.c499-s0:c3 p16004 unconfined_u s0-s0:c0.c1023,c4 p16005 unconfined_u s0-s0:c0.c1023,c4,c5 p16006 unconfined_u s0-s0:c0.c1023,c6 p16007 unconfined_u s0-s0:c0.c1023,c7 p16008 unconfined_u s0-s0:c0.c1023,c8 p16009 unconfined_u s0-s0:c0.c1023,c9 root unconfined_u SystemLow-SystemHigh system_u system_u SystemLow-SystemHigh # Weird. That didn't seem to do anything either. Let's try the removing the category again: [mcstest:/nodes/p16001]# chcat -l -- -c4 p16004 p16004 libsemanage.validate_handler: selinux user appuser_u does not exist (No such file or directory). libsemanage.validate_handler: seuser mapping [p16002 -> (appuser_u, s0:c1.c499-s0:c2)] is invalid (No such file or directory). libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). /usr/sbin/semanage: Could not commit semanage transaction # Oops. Now we've got problems. Let's add it back... [mcstest:/nodes/p16001]# semanage user -a -R user_r appuser_u libsemanage.validate_handler: selinux user appuser_u does not exist (No such file or directory). libsemanage.validate_handler: seuser mapping [p16002 -> (appuser_u, s0:c1.c499-s0:c2)] is invalid (No such file or directory). libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). /usr/sbin/semanage: Could not commit semanage transaction It's saying it doesn't exist when it's the user I'm trying to add? I'm confused. -- Tracy Reed
Attachment:
pgpaVCVsk7ZWq.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
