On Sun, Aug 2, 2020 at 5:20 AM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > > Hello, > > The user level is currently used as the range for files under HOME_DIR. > It appears that the Bell-LaPadula model makes the assumption that all objects are single leveled, this assumption is also made in libsepol. (I haven't really found a good source for this assumption) > libsepol does not make any assumptions about policy. Everything is defined in the policy mls or mcs files in terms of constraints. > But in my own (MCS) policy objects are not single leveled. Files are, by definition, single level objects because they cannot be decomposed. A file with U - TS data in it is a TS file. The policy (not libsepol) handles enforcing single-level objects, for example in refpolicy: # make sure these file classes are "single level" mlsconstrain { file lnk_file fifo_file } { create relabelto } ( l2 eq h2 ); You cannot create or relabel a file with anything other than low = high. Directories can be ranged, if they contain files of multiple levels, again, from refpolicy: # Directory "write" ops mlsconstrain dir { add_name remove_name reparent rmdir } (( l1 eq l2 ) or (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ( t1 == mlsfilewrite ) or ( t2 == mlstrustedobject )); So the source low must equal the directory low or one of the mls exception attributes controls fine grained usage. > Read (and process communication) operations are allowed if a processes high level dominates an objects low level. > Write operations are allowed if a processes high level dominates an objects high level. > > Later I've found that someone else had also come up with this idea independently, see https://lore.kernel.org/selinux/20091103114530.GH1672@xxxxxxxxxxxxxxxxxxx/ and https://lore.kernel.org/selinux/20091125202727.GD1649@xxxxxxxxxxxxxxxxxxx/ . > > For this I want to label files under HOME_DIR with the range user_lowest-user_highest. > Ignoring process communication this would prevent a login with less than maximum clearance from escalating by writing to e.g. ~/.bashrc . > > For example a user with the range s0-s0:c0.c3 would have his home files labeled as s0-s0:c0.c3. > A local tty login with the maximum clearance s0-s0:c0.c3 would be able to edit ~/.bashrc . > But an ssh login from e.g. an insecure network with only the range s0-s0:c1 would be able to read but not write important files such as ~/.bashrc . > > Using user_highest-user_highest as user level would force the user to correct the context of potentially a lot of files required by whatever is run with less than user_highest high, so I want to avoid this. > > Would it make sense to change libsepol to accept a range as user level (and perhaps changing the name) ? libsepol isn't really doing anything here. You can use semanage to set a file context, something like: # semanage fcontext -r s0-s0:c0.c3 /home/username # restorecon -R /home/username But you do need to be careful of escalation as you've noted, you may need a number of these to set specific files to the user high level > -- > bauen1 > https://dn42.bauen1.xyz/