I finally got to see this work by turning SELinux enforcement to ON
instead of permissive. The reason I wasn't seeing access denials in the
audit log is because they were blocked by dontaudit rules in
userdom_unpriv_user_template. It would be nice if I could simply turn
off some of these dontaudit rules. (I know I can turn them all off with
semodule -DB)
Great news ;-)
I apologize that I was not responding. I was on vacation. So if you have
another questions I am ready to help you.
Thank you.
-jeff
On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker <jeff.c.becker(a)gmail.com
<mailto:jeff.c.becker@gmail.com>> wrote:
Hi. I'm wondering if anyone has any input on this. After building
the Fedora SELinux policy with UBAC support (and rebooting), I've
created two SELinux users: {user_a role_a type_a} and {user_b role_b
type_b}, and both type_a and type_b have the ubac_constrained_type
attribute set. My understanding of UBAC led me to believe that
user_a would not have access to a file of type type_b. Similarly,
user_b would not have access to a file of type type_a. However,
these accesses are allowed. What else do I need to do to get this to
work. Thanks.
-jeff
On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker
<jeff.c.becker(a)gmail.com <mailto:jeff.c.becker@gmail.com>> wrote:
Some progress...
On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker
<jeff.c.becker(a)gmail.com <mailto:jeff.c.becker@gmail.com>> wrote:
Hi.
On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl
<mgrepl(a)redhat.com <mailto:mgrepl@redhat.com>> wrote:
On 11/09/2016 08:54 PM, Jeff Becker wrote:
> Hi. I successfully compiled and loaded the following
policy file on
> RHEL7 with the latest (as of yesterday) SELinux rpms.
However, when I
> run "seinfo -tfoo_t -x", I don't see
ubac_constrained_type listed in the
> attributes. How do I enable UBAC? Thanks.
Hi Jeff,
we don't build Fedora/RHEL distribution policy with UBAC
support.
I suspected that.
You
would need to rebuild the policy from srpms to enable it
I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from
http://kojipkgs.fedoraproject.org
<
http://kojipkgs.fedoraproject.org>. I figured this was close to
what I have installed
(selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in
build.conf, and built and installed the policy. When I rebooted,
I could see that ubac_constrained_type attribute was present on
several types (including my new ones that I recompiled and
loaded). However, it's not working the way I thought it should.
If I log in with SELinux user A and I try to access a file from
SELinux user B (both types have ubac_constrained_type attribute
set), I thought access would be denied, but it's not, and
nothing shows up in the audit log. Am I misunderstanding or
missing something? Thanks.
-jeff
What is your intention with UBAC?
My use case is that I'd like to have several file types with
associated SELinux users/roles, such that SELinux users of a
certain type cannot access files associated with another
user's type, regardless of what application is used for the
access, e.g., my foo_u user below would not be able to
access files of type bar_t (associated with SELinux user
bar_u). I need this to be under mandatory access control, so
it seems that multi category security (MCS) labels would not
work, as they are discretionary. Is there another way, e.g.,
role based access control (RBAC) that could be used? Thanks.
-jeff
>
> -jeff
>
>
--------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> policy_module(foo, 1.0.0)
>
> ########################################
> #
> # Declarations
> #
> userdom_unpriv_user_template(foo)
>
> ########################################
> #
> # foo local policy
> #
>
> domain_use_interactive_fds(foo_t)
>
> files_read_etc_files(foo_t)
>
> miscfiles_read_localization(foo_t)
>
> ubac_constrained(foo_t)
>
>
>
> _______________________________________________
> selinux mailing list --
selinux(a)lists.fedoraproject.org
<mailto:selinux@lists.fedoraproject.org>
> To unsubscribe send an email to
selinux-leave(a)lists.fedoraproject.org
<mailto:selinux-leave@lists.fedoraproject.org>
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.