Hello everyone!
I am having some issues with SELinux Multi Category Security on CentOS7
and have been redirected to this mailing list by the folks at
centos.org/forums (as response to my question there [0]).
My problem is the following:
Running CentOS7 64bit with SELinux in enforcing mode in targeted policy,
I noticed that a file that is assigned to a certain SELinux MCS (Multi
Category Security) category can be read by a user who is not assigned to
that category, indicating that MCS isn't working properly.
More specifically, I have users
john | mcsuser_u | s0-s0:c122
jane | mcsuser_u | s0-s0:c123
with
mcsuser_u | MLS/MCS Level: s0 | MLS/MCS Range: s0-s0:c0.c1023 | SELinux
Roles: user_r
and a file
-rw-rw-r-- john john mcsuser_u:object_r:user_home_t:s0:c122 johntext
I would expect that user jane is unable to read the file since she is
not member of the c122 category. However, running cat johntext as jane
prints the contents of the file without problem. This indicates to me
that MCS rules are not adhered to.
I tested the same setup on CentOS 6.9, where everything behaves as I
would expect (i.e., invoking cat johntext as jane results in a permssion
denied error).
Since I was unable to find documentation on a major change in
policy/configuration regarding SELinux from version 6.9 to 7, I am
somewhat confused by this. Am I making an obvious mistake or is this a
bug? If the latter, is it CentOS related or was it some change in
SELinux policies that I did not find documentation on which are present
in the latest versions of CentOS but not in 6.9?
Any advice would be very welcome.
I also posted a more verbose version of this question already on
serverfault.com [1], in case a more detailed listing of my steps is
required.
Thank you very much in advance.
Best regards,
Lukas P.
[0]:
https://www.centos.org/forums/viewtopic.php?f=51&t=66406&sid=31bd...
[1]:
https://serverfault.com/questions/901575/centos7-selinux-doesnt-seem-to-a...
PS: I sent this mail once already last week but didn't get a reply and
it doesn't appear in the archives
[
https://lists.fedoraproject.org/archives/], so I'm assuming it got lost
(maybe because I sent it before subscribing to the list..). If it's a
duplicate, please disregard (but maybe point me to / forward me the
responses..)