On 05/25/2017 01:21 PM, Stephen Smalley wrote:
On Thu, 2017-05-25 at 12:19 -0700, Bill D wrote:
> Hello Phil:
>
> Thank you for the response. Your suggested fix resolved the error.
>
> However, I am unable to get the desired effect.
>
> I am not able to prevent a Linux user from running/accessing a Java
> JAR file using SELinux categories.
>
> I would appreciate any other hints to make this work.
>
> Following are the details of what I did:
>
> # semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> git_shell_u user SystemLow SystemLow
> git_shell_r
> guest_u user SystemLow SystemLow
> guest_r
> root user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> staff_u user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> sysadm_u user SystemLow SystemLow-SystemHigh
> sysadm_r
> system_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> unconfined_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> user_u user SystemLow SystemLow
> user_r
> xguest_u user SystemLow SystemLow
> xguest_r
>
> # semanage user -m -r s0-s0:c0.c1023 user_u
>
> # semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> git_shell_u user SystemLow SystemLow
> git_shell_r
> guest_u user SystemLow SystemLow
> guest_r
> root user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> staff_u user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> sysadm_u user SystemLow SystemLow-SystemHigh
> sysadm_r
> system_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> unconfined_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> user_u user SystemLow SystemLow-SystemHigh
> user_r
> xguest_u user SystemLow SystemLow
> xguest_r
>
>
> # cat setrans.conf
>
> #
> # Multi-Category Security translation table for SELinux
> #
> # Uncomment the following to disable translation libary
> # disable=1
> #
> # Objects can be categorized with 0-1023 categories defined by the
> admin.
> # Objects can be in more than one category at a time.
> # Categories are stored in the system as c0-c1023. Users can use
> this
> # table to translate the categories into a more meaningful output.
> # Examples:
> # s0:c0=CompanyConfidential
> # s0:c1=PatientRecord
> # s0:c2=Unclassified
> # s0:c3=TopSecret
> # s0:c1,c3=CompanyConfidentialRedHat
> s0:c0=NetworkAdministrator
> s0:c1=Operator
> s0=SystemLow
> s0-s0:c0.c1023=SystemLow-SystemHigh
> s0:c0.c1023=SystemHigh
>
> # service mcstrans restart
> Stopping mcstransd: [ OK ]
> Starting mcstransd: [ OK ]
>
> # chcat -L
> s0:c0 NetworkAdministrator
> s0:c1 Operator
> s0 SystemLow
> s0-s0:c0.c1023 SystemLow-SystemHigh
> s0:c0.c1023 SystemHigh
>
> # useradd foo
>
> # useradd bar
>
> # passwd foo
> Changing password for user foo.
> New password:
> Retype new password:
> passwd: all authentication tokens updated successfully.
>
> # passwd bar
> Changing password for user bar.
> New password:
> Retype new password:
> passwd: all authentication tokens updated successfully.
>
> # semanage login -a foo
>
> # semanage login -a bar
>
> # chcat -l -- +NetworkAdministrator foo
>
> # chcat -l -- +Operator bar
>
> # chcat -L -l bar foo
> bar: s0:c0.c1023,c1 <===== why is it not just s0:c1?
> foo: s0:c0.c1023,c0 <===== why is it not just just s0:c0?
>
> # chcat -- +NetworkAdministrator /usr/local/soup/bin/Foo.jar
>
> # ls -Z /usr/local/soup/bin/Foo.jar
> -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
> /usr/local/soup/bin/Foo.jar
>
> Now Login as the 'foo' Linux user and notice that it can run Foo.jar
> as expected
>
> $ whoami
> foo
>
> $ id -Z
> user_u:user_r:user_t:SystemLow-SystemHigh
>
> $ ls -Z /usr/local/soup/bin/Foo.jar
> -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
> /usr/local/soup/bin/Foo.jar
>
> $ java -jar /usr/local/soup/bin/Foo.jar
> Hello Foo
>
> Now login as the 'bar' Linux user and notice that it can also run
> Foo.jar which is NOT expected
>
> $ whoami
> bar
>
> $ id -Z
> user_u:user_r:user_t:SystemLow-SystemHigh
>
> $ ls -Z /usr/local/soup/bin/Foo.jar
> -rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
> /usr/local/soup/bin/Foo.jar
>
> $ java -jar /usr/local/soup/bin/Foo.jar
> Hello Foo
>
> Why is Linux user 'bar' able to run/access Foo.jar when its category
> doesn't match Foo.jar's category?
Red Hat changed the way MCS works in modern versions of RHEL. It went
from being a user-centric model to being something they only use to
separate sandboxes, containers, VMs, openshift instances, etc. So a
domain is only restricted by MCS if it is specifically marked as being
MCS constrained.
How to mark a file's domain/type as MCS constrained? Or is that not
possible?
MLS on the other hand is still applied to all domains except those
explicitly exempted (trusted to cross levels).
I would greatly appreciate any hints on how to use MLS to control file
access.
Thanks!
Bill
> Following is how to create the Foo.jar file:
>
> $ cat Foo.java
> public class Foo {
> public static void main(String[] args) {
> System.out.println("Hello Foo");
> }
> }
>
> $ cat manifest.txt
> Main-Class:
>
> $ javac Foo.java
>
> $ jar cvfe Foo.jar Foo Foo.class
> added manifest
> adding: Foo.class(in = 409) (out= 282)(deflated 31%)
>
> Best Regards,
>
> Bill
>
> On 05/24/2017 04:39 PM, Philip Seeley wrote:
>> Hi Bill,
>>
>> I think this was my mistake in transcribing. The user_u line after
>> the "semanage user -m" command should be:
>> user_u user SystemLow SystemLow-
>> SystemHigh user_r
>>
>> So the command should have been:
>>
>> semanage user -m -r s0-s0:c0.c1023 user_u
>>
>> Or even:
>>
>> semanage user -m -r SystemLow-SystemHigh user_u
>>
>> Appologies for that.
>>
>> Phil
>>
>> Bill D ---25/05/2017 02:28:19---Hello Phil, I have tried your
>> suggestion of extending the user_u definition without
>>
>> From: Bill D <littus(a)icloud.com>
>> To: Philip Seeley <pseeley(a)au1.ibm.com>
>> Cc: littus(a)icloud.com, selinux(a)lists.fedoraproject.org
>> Date: 25/05/2017 02:28
>> Subject: Re: Controlling execution of Java JAR files with SELinux
>> RBAC
>>
>>
>>
>> Hello Phil,
>> I have tried your suggestion of extending the user_u definition
>> without success:
>> # semanage user -l
>>
>> Labeling MLS/
>> MLS/
>> SELinux User Prefix MCS Level MCS
>> Range SELinux Roles
>>
>> git_shell_u user SystemLow
>> SystemLow git_shell_r
>> guest_u user SystemLow
>> SystemLow guest_r
>> root user SystemLow SystemLow-
>> SystemHigh staff_r sysadm_r system_r unconfined_r
>> staff_u user SystemLow SystemLow-
>> SystemHigh staff_r sysadm_r system_r unconfined_r
>> sysadm_u user SystemLow SystemLow-
>> SystemHigh sysadm_r
>> system_u user SystemLow SystemLow-
>> SystemHigh system_r unconfined_r
>> unconfined_u user SystemLow SystemLow-
>> SystemHigh system_r unconfined_r
>> user_u user SystemLow
>> SystemLow user_r
>> xguest_u user SystemLow
>> SystemLow xguest_r
>> # semanage user -m -r s0:c0.c1023 user_u
>> # semanage user -l
>>
>> Labeling MLS/
>> MLS/
>> SELinux User Prefix MCS Level MCS
>> Range SELinux Roles
>>
>> git_shell_u user SystemLow
>> SystemLow git_shell_r
>> guest_u user SystemLow
>> SystemLow guest_r
>> root user SystemLow SystemLow-
>> SystemHigh staff_r sysadm_r system_r unconfined_r
>> staff_u user SystemLow SystemLow-
>> SystemHigh staff_r sysadm_r system_r unconfined_r
>> sysadm_u user SystemLow SystemLow-
>> SystemHigh sysadm_r
>> system_u user SystemLow SystemLow-
>> SystemHigh system_r unconfined_r
>> unconfined_u user SystemLow SystemLow-
>> SystemHigh system_r unconfined_r
>> user_u user SystemLow
>> SystemHigh user_r
>> xguest_u user SystemLow
>> SystemLow xguest_r
>> # useradd kate
>> # passwd kate
>> Changing password for user kate.
>> New password:
>> Retype new password:
>> passwd: all authentication tokens updated successfully.
>> # semanage login -a kate
>> libsemanage.validate_handler: MLS range s0 for Unix user
>> regularuser exceeds allowed range s0:c0.c1023 for SELinux user
>> user_u (No such file or directory).
>> libsemanage.validate_handler: seuser mapping [regularuser ->
>> (user_u, s0)] is invalid (No such file or directory).
>> libsemanage.dbase_llist_iterate: could not iterate over records (No
>> such file or directory).
>> /usr/sbin/semanage: Could not commit semanage transaction
>> I would greatly appreciate any other hints to make this work.
>> Regards,
>> Bill
>> On 5/23/2017 8:42 PM, Philip Seeley wrote:
>> Hi Bill,
>>
>> This is probably because the default RHEL6 configuration does not
>> include any categories in the user_u SELinux user's range:
>>
>> # semanage user -l
>>
>> Labeling MLS/ MLS/
>>
>> SELinux User Prefix MCS Level MCS Range
>> SELinux Roles
>>
>> guest_u user s0 s0
>> guest_r
>> root user s0 s0-s0:c0.c1023
>> staff_r sysadm_r system_r unconfined_r
>> staff_u user s0 s0-s0:c0.c1023
>> staff_r sysadm_r system_r unconfined_r
>> sysadm_u user s0 s0-s0:c0.c1023
>> sysadm_r
>> system_u user s0 s0-s0:c0.c1023
>> system_r unconfined_r
>> unconfined_u user s0 s0-s0:c0.c1023
>> system_r unconfined_r
>> user_u user s0 s0
>> user_r
>>
>> You probably have to extend the user definition to include the
>> categories you're using. As an example, this gives all categories:
>>
>> # semanage user -m -r s0:c0.c1023 user_u
>>
>> # semanage user -l
>>
>> Labeling MLS/ MLS/
>>
>> SELinux User Prefix MCS Level MCS Range
>> SELinux Roles
>>
>> guest_u user s0 s0
>> guest_r
>> root user s0 s0-s0:c0.c1023
>> staff_r sysadm_r system_r unconfined_r
>> staff_u user s0 s0-s0:c0.c1023
>> staff_r sysadm_r system_r unconfined_r
>> sysadm_u user s0 s0-s0:c0.c1023
>> sysadm_r
>> system_u user s0 s0-s0:c0.c1023
>> system_r unconfined_r
>> unconfined_u user s0 s0-s0:c0.c1023
>> system_r unconfined_r
>> user_u user s0 s0:c0.c1023
>> user_r
>>
>> Hope that helps.
>>
>> Phil
>>
>>
>> Bill Durant ---24/05/2017 12:34:53---Hello Phil: Thank you for the
>> suggestion. I have tried the steps from the URL that
>>
>> From: Bill Durant <littus(a)icloud.com>
>> To: Philip Seeley <pseeley(a)au1.ibm.com>
>> Cc: littus(a)icloud.com, selinux(a)lists.fedoraproject.org
>> Date: 24/05/2017 12:34
>> Subject: Re: Controlling execution of Java JAR files with SELinux
>> RBAC
>>
>>
>>
>> Hello Phil:
>> Thank you for the suggestion. I have tried the steps from the URL
>> that you provided without success.
>> I get an error when I try to assign Linux user mary to an SELinux
>> login as follows:
>> # cat /etc/redhat-release
>> CentOS release 6.9 (Final)
>>
>> ;;; Add "s0:c0=NetworkAdministrator" and "s0:c1=Operator" to
>> /etc/selinux/targeted/setrans.conf
>>
>> # cat /etc/selinux/targeted/setrans.conf
>> #
>> # Multi-Category Security translation table for SELinux
>> #
>> # Uncomment the following to disable translation libary
>> # disable=1
>> #
>> # Objects can be categorized with 0-1023 categories defined by the
>> admin.
>> # Objects can be in more than one category at a time.
>> # Categories are stored in the system as c0-c1023. Users can use
>> this
>> # table to translate the categories into a more meaningful output.
>> # Examples:
>> # s0:c0=CompanyConfidential
>> # s0:c1=PatientRecord
>> # s0:c2=Unclassified
>> # s0:c3=TopSecret
>> # s0:c1,c3=CompanyConfidentialRedHat
>> s0:c0=NetworkAdministrator
>> s0:c1=Operator
>> s0=SystemLow
>> s0-s0:c0.c1023=SystemLow-SystemHigh
>> s0:c0.c1023=SystemHigh
>>
>> # service mcstrans start
>>
>> # chcat -L
>> s0:c0 NetworkAdministrator
>> s0:c1 Operator
>> s0 SystemLow
>> s0-s0:c0.c1023 SystemLow-SystemHigh
>> s0:c0.c1023 SystemHigh
>>
>>
>> # useradd mary
>> # passwd mary
>> Changing password for user mary.
>> New password:
>> Retype new password:
>> passwd: all authentication tokens updated successfully.
>>
>> # semanage login -a mary
>>
>> # chcat -l -- +NetworkAdministrator mary
>> libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user mary
>> exceeds allowed range s0 for SELinux user user_u (No such file or
>> directory).
>> libsemanage.validate_handler: seuser mapping [mary -> (user_u, s0-
>> s0:c0)] is invalid (No such file or directory).
>> libsemanage.dbase_llist_iterate: could not iterate over records (No
>> such file or directory).
>> /usr/sbin/semanage: Could not commit semanage transaction
>> I would appreciate any hints on how to resolve that error.
>> Thanks!
>> Bill
>>
>> On 05/23/2017 05:49 PM, Philip Seeley wrote:
>> Hi Bill,
>>
>> Have you thought about using categories?
>>
>>
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-g
>> etstarted.html
>>
>> Cheers
>>
>> Phil
>>
>> Bill D ---24/05/2017 09:52:00---Greetings: I have been trying to
>> figure out how to control the execution of Java
>>
>> From: Bill D <littus(a)icloud.com>
>> To: selinux(a)lists.fedoraproject.org
>> Cc: littus(a)icloud.com
>> Date: 24/05/2017 09:52
>> Subject: Controlling execution of Java JAR files with SELinux RBAC
>>
>>
>>
>> Greetings:
>>
>> I have been trying to figure out how to control the execution of
>> Java
>> JAR files with SELinux RBAC.
>>
>> I have two Linux users named joe and mary and two Java JAR files
>> named
>> jack.jar and mary.jar.
>>
>> Here is how jack executes jack.jar: java -jar jack.jar
>>
>> Here is how mary executes mary.jar: java -jar mary.jar
>>
>> I would like SELinux RBAC to prevent jack from executing mary.jar
>> and
>> prevent mary from executing jack.jar.
>>
>> How to configure SELinux RBAC to make that happen?
>>
>> I have tried various approaches without success. I have also tried
>> the
>> steps in
http://forums.fedoraforum.org/archive/index.php/t-222938.h
>> tml
>> without success.
>>
>> I would greatly appreciate any hints.
>>
>> Regards,
>>
>> Bill
>>
>>
>> _______________________________________________
>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.o
>> rg
>>
>>
>>
>>
>>
>> _______________________________________________
>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.o
>> rg
>>
>>
>>
>>
>>
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org