Hello everyone!
I am having some issues with SELinux Multi Category Security on
CentOS7 and have been redirected to this mailing list by the folks
at centos.org/forums (as response to my question there [0]).
My problem is the following:
Running CentOS7 64bit with SELinux in enforcing mode in targeted policy, I noticed that a file that is
assigned to a certain SELinux MCS (Multi Category Security)
category can be read by a user who is not assigned to that
category, indicating that MCS isn't working properly.
More specifically, I have users
john | mcsuser_u | s0-s0:c122
jane | mcsuser_u | s0-s0:c123
with
mcsuser_u | MLS/MCS Level: s0 | MLS/MCS Range: s0-s0:c0.c1023 |
SELinux Roles: user_r
and a file
-rw-rw-r-- john john mcsuser_u:object_r:user_home_t:s0:c122
johntext
I would expect that user jane
is unable to read the file since she is not member of the c122
category. However, running cat johntext as jane prints the contents of
the file without problem. This indicates to me that MCS rules are
not adhered to.
I tested the same setup on CentOS 6.9, where everything behaves as
I would expect (i.e., invoking cat johntext
as jane results in a
permssion denied error).
Since I was unable to find documentation on a major change in
policy/configuration regarding SELinux from version 6.9 to 7, I am
somewhat confused by this. Am I making an obvious mistake or is
this a bug? If the latter, is it CentOS related or was it some
change in SELinux policies that I did not find documentation on
which are present in the latest versions of CentOS but not in 6.9?
Any advice would be very welcome.
I also posted a more verbose version of this question already on
serverfault.com [1], in case a more detailed listing of my steps
is required.
Thank you very much in advance.
Best regards,
Lukas P.
[0]:
https://www.centos.org/forums/viewtopic.php?f=51&t=66406&sid=31bd377019d7f826e2d76359ca88fc41
[1]:
https://serverfault.com/questions/901575/centos7-selinux-doesnt-seem-to-adhere-to-mcs-categories
PS: I sent this mail once already last week but didn't get a reply and it doesn't appear in the archives [https://lists.fedoraproject.org/archives/], so I'm assuming it got lost (maybe because I sent it before subscribing to the list..). If it's a duplicate, please disregard (but maybe point me to / forward me the responses..)