Hello Phil:
Thank you for the response. Your suggested fix resolved the error.
However, I am unable to get the desired effect.
I am not able to prevent a Linux user from running/accessing a Java JAR
file using SELinux categories.
I would appreciate any other hints to make this work.
Following are the details of what I did:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user SystemLow SystemLow git_shell_r
guest_u user SystemLow SystemLow guest_r
root user SystemLow SystemLow-SystemHigh staff_r
sysadm_r system_r unconfined_r
staff_u user SystemLow SystemLow-SystemHigh staff_r
sysadm_r system_r unconfined_r
sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r
system_u user SystemLow SystemLow-SystemHigh system_r
unconfined_r
unconfined_u user SystemLow SystemLow-SystemHigh system_r
unconfined_r
user_u user SystemLow SystemLow user_r
xguest_u user SystemLow SystemLow xguest_r
# semanage user -m -r s0-s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user SystemLow SystemLow git_shell_r
guest_u user SystemLow SystemLow guest_r
root user SystemLow SystemLow-SystemHigh staff_r
sysadm_r system_r unconfined_r
staff_u user SystemLow SystemLow-SystemHigh staff_r
sysadm_r system_r unconfined_r
sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r
system_u user SystemLow SystemLow-SystemHigh system_r
unconfined_r
unconfined_u user SystemLow SystemLow-SystemHigh system_r
unconfined_r
user_u user SystemLow SystemLow-SystemHigh user_r
xguest_u user SystemLow SystemLow xguest_r
# cat setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans restart
Stopping mcstransd: [ OK ]
Starting mcstransd: [ OK ]
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd foo
# useradd bar
# passwd foo
Changing password for user foo.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# passwd bar
Changing password for user bar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a foo
# semanage login -a bar
# chcat -l -- +NetworkAdministrator foo
# chcat -l -- +Operator bar
# chcat -L -l bar foo
bar: s0:c0.c1023,c1 <===== why is it not just s0:c1?
foo: s0:c0.c1023,c0 <===== why is it not just just s0:c0?
# chcat -- +NetworkAdministrator /usr/local/soup/bin/Foo.jar
# ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
/usr/local/soup/bin/Foo.jar
Now Login as the 'foo' Linux user and notice that it can run Foo.jar as
expected
$ whoami
foo
$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh
$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
/usr/local/soup/bin/Foo.jar
$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo
Now login as the 'bar' Linux user and notice that it can also run
Foo.jar which is NOT expected
$ whoami
bar
$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh
$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
/usr/local/soup/bin/Foo.jar
$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo
Why is Linux user 'bar' able to run/access Foo.jar when its category
doesn't match Foo.jar's category?
Following is how to create the Foo.jar file:
$ cat Foo.java
public class Foo {
public static void main(String[] args) {
System.out.println("Hello Foo");
}
}
$ cat manifest.txt
Main-Class:
$ javac Foo.java
$ jar cvfe Foo.jar Foo Foo.class
added manifest
adding: Foo.class(in = 409) (out= 282)(deflated 31%)
Best Regards,
Bill
On 05/24/2017 04:39 PM, Philip Seeley wrote:
Hi Bill,
I think this was my mistake in transcribing. The user_u line after the
"semanage user -m" command should be:
user_u user SystemLow
SystemLow-SystemHigh user_r
So the command should have been:
semanage user -m -r s0-s0:c0.c1023 user_u
Or even:
semanage user -m -r SystemLow-SystemHigh user_u
Appologies for that.
Phil
Inactive hide details for Bill D ---25/05/2017 02:28:19---Hello Phil,
I have tried your suggestion of extending the user_u defiBill D
---25/05/2017 02:28:19---Hello Phil, I have tried your suggestion of
extending the user_u definition without
From: Bill D <littus(a)icloud.com>
To: Philip Seeley <pseeley(a)au1.ibm.com>
Cc: littus(a)icloud.com, selinux(a)lists.fedoraproject.org
Date: 25/05/2017 02:28
Subject: Re: Controlling execution of Java JAR files with SELinux RBAC
------------------------------------------------------------------------
Hello Phil,
I have tried your suggestion of extending the user_u definition
without success:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
git_shell_u user SystemLow SystemLow
git_shell_r
guest_u user SystemLow SystemLow
guest_r
root user SystemLow SystemLow-SystemHigh
staff_r sysadm_r system_r unconfined_r
staff_u user SystemLow SystemLow-SystemHigh
staff_r sysadm_r system_r unconfined_r
sysadm_u user SystemLow SystemLow-SystemHigh
sysadm_r
system_u user SystemLow SystemLow-SystemHigh
system_r unconfined_r
unconfined_u user SystemLow SystemLow-SystemHigh
system_r unconfined_r
user_u user SystemLow SystemLow user_r
xguest_u user SystemLow SystemLow
xguest_r
# semanage user -m -r s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
git_shell_u user SystemLow SystemLow
git_shell_r
guest_u user SystemLow SystemLow
guest_r
root user SystemLow SystemLow-SystemHigh
staff_r sysadm_r system_r unconfined_r
staff_u user SystemLow SystemLow-SystemHigh
staff_r sysadm_r system_r unconfined_r
sysadm_u user SystemLow SystemLow-SystemHigh
sysadm_r
system_u user SystemLow SystemLow-SystemHigh
system_r unconfined_r
unconfined_u user SystemLow SystemLow-SystemHigh
system_r unconfined_r
user_u user SystemLow SystemHigh user_r
xguest_u user SystemLow SystemLow
xguest_r
# useradd kate
# passwd kate
Changing password for user kate.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a kate
libsemanage.validate_handler: MLS range s0 for Unix user regularuser
exceeds allowed range s0:c0.c1023 for SELinux user user_u (No such
file or directory).
libsemanage.validate_handler: seuser mapping [regularuser -> (user_u,
s0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No
such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
I would greatly appreciate any other hints to make this work.
Regards,
Bill
On 5/23/2017 8:42 PM, Philip Seeley wrote:
Hi Bill,
This is probably because the default RHEL6 configuration does
not include any categories in the user_u SELinux user's range:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0 user_r
You probably have to extend the user definition to include the
categories you're using. As an example, this gives all categories:
# semanage user -m -r s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0:c0.c1023
user_r
Hope that helps.
Phil
Inactive hide details for Bill Durant ---24/05/2017
12:34:53---Hello Phil: Thank you for the suggestion. I have
tried the stepBill Durant ---24/05/2017 12:34:53---Hello Phil:
Thank you for the suggestion. I have tried the steps from the
URL that
From: Bill Durant _<littus(a)icloud.com>_ <mailto:littus@icloud.com>
To: Philip Seeley _<pseeley(a)au1.ibm.com>_
<mailto:pseeley@au1.ibm.com>
Cc: _littus(a)icloud.com_ <mailto:littus@icloud.com>,
_selinux(a)lists.fedoraproject.org_
<mailto:selinux@lists.fedoraproject.org>
Date: 24/05/2017 12:34
Subject: Re: Controlling execution of Java JAR files with
SELinux RBAC
------------------------------------------------------------------------
Hello Phil:
Thank you for the suggestion. I have tried the steps from the
URL that you provided without success.
I get an error when I try to assign Linux user mary to an
SELinux login as follows:
# cat /etc/redhat-release
CentOS release 6.9 (Final)
;;; Add "s0:c0=NetworkAdministrator" and "s0:c1=Operator" to
/etc/selinux/targeted/setrans.conf
# cat /etc/selinux/targeted/setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by
the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can
use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans start
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd mary
# passwd mary
Changing password for user mary.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a mary
# chcat -l -- +NetworkAdministrator mary
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user
mary exceeds allowed range s0 for SELinux user user_u (No such
file or directory).
libsemanage.validate_handler: seuser mapping [mary -> (user_u,
s0-s0:c0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over
records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
I would appreciate any hints on how to resolve that error.
Thanks!
Bill
On 05/23/2017 05:49 PM, Philip Seeley wrote:
Hi Bill,
Have you thought about using categories?_
__https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getst...
Cheers
Phil
Inactive hide details for Bill D ---24/05/2017
09:52:00---Greetings: I have been trying to
figure out how to control the executBill D
---24/05/2017 09:52:00---Greetings: I have
been trying to figure out how to control the
execution of Java
From: Bill D _<littus(a)icloud.com>_
<mailto:littus@icloud.com>
To: _selinux(a)lists.fedoraproject.org_
<mailto:selinux@lists.fedoraproject.org>
Cc: _littus(a)icloud.com_ <mailto:littus@icloud.com>
Date: 24/05/2017 09:52
Subject: Controlling execution of Java JAR
files with SELinux RBAC
------------------------------------------------------------------------
Greetings:
I have been trying to figure out how to
control the execution of Java
JAR files with SELinux RBAC.
I have two Linux users named joe and mary and
two Java JAR files named
jack.jar and mary.jar.
Here is how jack executes jack.jar: java -jar
jack.jar
Here is how mary executes mary.jar: java -jar
mary.jar
I would like SELinux RBAC to prevent jack from
executing mary.jar and
prevent mary from executing jack.jar.
How to configure SELinux RBAC to make that happen?
I have tried various approaches without
success. I have also tried the
steps in
_http://forums.fedoraforum.org/archive/index.php/t-222938.html_
without success.
I would greatly appreciate any hints.
Regards,
Bill
_______________________________________________
selinux mailing list --
_selinux(a)lists.fedoraproject.org_
<mailto:selinux@lists.fedoraproject.org>
To unsubscribe send an email to
_selinux-leave(a)lists.fedoraproject.org_
<mailto:selinux-leave@lists.fedoraproject.org>
_______________________________________________
selinux mailing list --
_selinux(a)lists.fedoraproject.org_
<mailto:selinux@lists.fedoraproject.org>
To unsubscribe send an email to
_selinux-leave(a)lists.fedoraproject.org_
<mailto:selinux-leave@lists.fedoraproject.org>