Hi Bill,
My understanding was that the "user" range was the possible range and the "login" range was what was allowed for a user.
I think this is actually wrong, as in CentOS6/RHEL6 you seem to be restricted to the context you login with and get a "process.transition" denial if a user_t tries to change their context, e.g. with runcon:
[jack@centos6 ~]$ runcon -l s0:c1 bash
runcon: bash: Permission denied
This doesn't seem to be the case for later versions, specifically Fedora 25 that I've tried with. In this case you seem to need different SELinux users:
[root@laptop ~]# semanage user -a -R user_r -r s0:c0 jack_u
[root@laptop ~]# semanage user -a -R user_r -r s0:c1 mary_u
[root@laptop ~]# semanage login -a -s jack_u -r s0:c0 jack
[root@laptop ~]# semanage login -a -s mary_u -r s0:c1 mary
Then you can't change the context due to it being invalid:
[jack@centos6 ~]$ id
uid=500(jack) gid=500(jack) groups=500(jack) context=jack_u:user_r:user_t:s0:c0
[jack@centos6 ~]$ runcon -l s0:c1 bash
runcon: invalid context: jack_u:user_r:user_t:s0:c1: Invalid argument
This latter approach worked for me on all versions of the OS and I would say is the more correct approach.
Hope that helps.
Phil
Bill D ---31/05/2017 09:50:15---Hello Phil: Thank you for the information and the explanation of the "+" option--it
From: Bill D <littus@icloud.com>
To: Philip Seeley <pseeley@au1.ibm.com>
Cc: littus@icloud.com, selinux@lists.fedoraproject.org
Date: 31/05/2017 09:50
Subject: Re: Controlling execution of Java JAR files with SELinux RBAC
Thank you for the information and the explanation of the "+" option--it makes sense.
I have one concern... Notice that initially user_u's MCS settings is s0 which I believe it is the lowest category.
But in order to set up new categories for constraining access to JAR files, we must change user_u's MCS settings to s0-s0:c0.c1023 with the following command:
# semanage user -m -r s0-s0:c0.c1023 user_u
Doesn't it mean that we are elevating user_u's category privileges?
Is it possible to attain the desired effect without having to elevate user_u's category privileges?
Thank you & Best Regards,
Bill
On 05/29/2017 08:27 PM, Philip Seeley wrote:
Setting the categories instead of adding them with the "+" worked!
So it sounds like the chcat "+" option is not working as expected on CentOS 6.9. Do you concur?
Thank you for your help Phil.
The following series of steps show that it now works as expected:
# uname -a
Linux es300h 2.6.32-696.1.1.el6.x86_64 #1 SMP Tue Apr 11 17:13:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/redhat-release
CentOS release 6.9 (Final)
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user s0 s0 git_shell_r
green_u user s0 s0 green_r
guest_u user s0 s0 guest_r
red_u user s0 s0 red_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
# semanage user -m -r s0-s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user s0 s0 git_shell_r
green_u user s0 s0 green_r
guest_u user s0 s0 guest_r
red_u user s0 s0 red_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0-s0:c0.c1023 user_r
xguest_u user s0 s0 xguest_r
# cat /etc/selinux/targeted/setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans restart
Stopping mcstransd: [ OK ]
Starting mcstransd: [ OK ]
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd foo
# useradd bar
# passwd foo
Changing password for user foo.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# passwd bar
Changing password for user bar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a foo
# semanage login -a bar
# chcat -l -- c0 foo
# chcat -l -- c1 bar
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u SystemLow-SystemHigh
bar user_u SystemLow-Operator
foo user_u SystemLow-NetworkAdministrator
root unconfined_u SystemLow-SystemHigh
system_u system_u SystemLow-SystemHigh
# chcat -L -l foo bar
foo: NetworkAdministrator
bar: Operator
# chcat -- +NetworkAdministrator /usr/local/soup/bin/foo.jar
# ls -Z /usr/local/soup/bin/foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/foo.jar
Now as the Linux user, foo, it works as expected:
$ whoami
foo
$ id -Z
user_u:user_r:user_t:SystemLow-NetworkAdministrator
$ java -jar /usr/local/soup/bin/foo.jar
Hello from the foo application
Now as the Linux user, bar, it also works as expected:
$ whoami
bar
$ id -Z
user_u:user_r:user_t:SystemLow-Operator
$ java -jar /usr/local/soup/bin/foo.jar
Error: Unable to access jarfile /usr/local/soup/bin/foo.jar
Regards,
Bill
On 05/28/2017 05:22 PM, Philip Seeley wrote:
user_u user SystemLow SystemLow-SystemHigh user_r
So the command should have been:
semanage user -m -r s0-s0:c0.c1023 user_u
Or even:
semanage user -m -r SystemLow-SystemHigh user_u
Appologies for that.
Phil
Bill D ---25/05/2017 02:28:19---Hello Phil, I have tried your suggestion of extending the user_u definition without
From: Bill D <littus@icloud.com>
To: Philip Seeley <pseeley@au1.ibm.com>
Cc: littus@icloud.com, selinux@lists.fedoraproject.org
Date: 25/05/2017 02:28
Subject: Re: Controlling execution of Java JAR files with SELinux RBAC
I have tried your suggestion of extending the user_u definition without success:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user SystemLow SystemLow git_shell_r
guest_u user SystemLow SystemLow guest_r
root user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r
staff_u user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r
sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r
system_u user SystemLow SystemLow-SystemHigh system_r unconfined_r
unconfined_u user SystemLow SystemLow-SystemHigh system_r unconfined_r
user_u user SystemLow SystemLow user_r
xguest_u user SystemLow SystemLow xguest_r
# semanage user -m -r s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user SystemLow SystemLow git_shell_r
guest_u user SystemLow SystemLow guest_r
root user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r
staff_u user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r
sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r
system_u user SystemLow SystemLow-SystemHigh system_r unconfined_r
unconfined_u user SystemLow SystemLow-SystemHigh system_r unconfined_r
user_u user SystemLow SystemHigh user_r
xguest_u user SystemLow SystemLow xguest_r
# useradd kate
# passwd kate
Changing password for user kate.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a kate
libsemanage.validate_handler: MLS range s0 for Unix user regularuser exceeds allowed range s0:c0.c1023 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [regularuser -> (user_u, s0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
I would greatly appreciate any other hints to make this work.
Regards,
Bill
On 5/23/2017 8:42 PM, Philip Seeley wrote:
Thank you for the suggestion. I have tried the steps from the URL that you provided without success.
I get an error when I try to assign Linux user mary to an SELinux login as follows:
# cat /etc/redhat-release
CentOS release 6.9 (Final)
;;; Add "s0:c0=NetworkAdministrator" and "s0:c1=Operator" to /etc/selinux/targeted/setrans.conf
# cat /etc/selinux/targeted/setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans start
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd mary
# passwd mary
Changing password for user mary.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a mary
# chcat -l -- +NetworkAdministrator mary
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user mary exceeds allowed range s0 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [mary -> (user_u, s0-s0:c0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
I would appreciate any hints on how to resolve that error.
Thanks!
Bill
On 05/23/2017 05:49 PM, Philip Seeley wrote: