Hello Phil:
Setting the categories instead of adding them with the "+" worked!
So it sounds like the chcat "+" option is not working as expected on
CentOS 6.9. Do you concur?
Thank you for your help Phil.
The following series of steps show that it now works as expected:
# uname -a
Linux es300h 2.6.32-696.1.1.el6.x86_64 #1 SMP Tue Apr 11 17:13:24 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/redhat-release
CentOS release 6.9 (Final)
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
git_shell_u user s0 s0 git_shell_r
green_u user s0 s0 green_r
guest_u user s0 s0 guest_r
red_u user s0 s0 red_r
root user s0 s0-s0:c0.c1023 staff_r
sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r
sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
# semanage user -m -r s0-s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
git_shell_u user s0 s0 git_shell_r
green_u user s0 s0 green_r
guest_u user s0 s0 guest_r
red_u user s0 s0 red_r
root user s0 s0-s0:c0.c1023 staff_r
sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r
sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
user_u user s0 s0-s0:c0.c1023 user_r
xguest_u user s0 s0 xguest_r
# cat /etc/selinux/targeted/setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans restart
Stopping mcstransd: [ OK ]
Starting mcstransd: [ OK ]
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd foo
# useradd bar
# passwd foo
Changing password for user foo.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# passwd bar
Changing password for user bar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a foo
# semanage login -a bar
# chcat -l -- c0 foo
# chcat -l -- c1 bar
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u SystemLow-SystemHigh
bar user_u SystemLow-Operator
foo user_u SystemLow-NetworkAdministrator
root unconfined_u SystemLow-SystemHigh
system_u system_u SystemLow-SystemHigh
# chcat -L -l foo bar
foo: NetworkAdministrator
bar: Operator
# chcat -- +NetworkAdministrator /usr/local/soup/bin/foo.jar
# ls -Z /usr/local/soup/bin/foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
/usr/local/soup/bin/foo.jar
Now as the Linux user, foo, it works as expected:
$ whoami
foo
$ id -Z
user_u:user_r:user_t:SystemLow-NetworkAdministrator
$ java -jar /usr/local/soup/bin/foo.jar
Hello from the foo application
Now as the Linux user, bar, it also works as expected:
$ whoami
bar
$ id -Z
user_u:user_r:user_t:SystemLow-Operator
$ java -jar /usr/local/soup/bin/foo.jar
Error: Unable to access jarfile /usr/local/soup/bin/foo.jar
Regards,
Bill
On 05/28/2017 05:22 PM, Philip Seeley wrote:
Hi Bill,
I saw in a previous post that you were using CentOS 6.9 so this should
work for you. It looks like the login configuration is not quite right
as both users are showing SystemLow-SystemHigh when they logon.
Check the login config shows they only have the categories they need,
i.e. jack has c0 and mary has c1.
If they're not correct try setting the categories rather than adding
to them with a "+":
[root@centos6 ~]# chcat -l -- c0 jack
[root@centos6 ~]# chcat -l -- c1 mary
[root@centos6 ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
jack user_u s0-s0:c0
mary user_u s0-s0:c1
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
Then with:
# ll -Z /usr/local/bin/
-rw-r--r--. root root unconfined_u:object_r:bin_t:s0:c0 jack
-rw-r--r--. root root unconfined_u:object_r:bin_t:s0:c1 mary
[root@centos6 ~]# cat /etc/system-release
CentOS release 6.9 (Final)
as jack:
[jack@centos6 ~]$ id
uid=500(jack) gid=500(jack) groups=500(jack)
context=user_u:user_r:user_t:s0-s0:c0
[jack@centos6 ~]$ cat /usr/local/bin/jack
Hi
[jack@centos6 ~]$ cat /usr/local/bin/mary
cat: /usr/local/bin/mary: Permission denied
and as mary:
[mary@centos6 ~]$ id
uid=501(mary) gid=501(mary) groups=501(mary)
context=user_u:user_r:user_t:s0-s0:c1
[mary@centos6 ~]$ cat /usr/local/bin/jack
cat: /usr/local/bin/jack: Permission denied
[mary@centos6 ~]$ cat /usr/local/bin/mary
Hi
Cheers
Phil
Inactive hide details for Bill D ---26/05/2017 05:19:44---Hello Phil:
Thank you for the response. Your suggested fix resolved Bill D
---26/05/2017 05:19:44---Hello Phil: Thank you for the response. Your
suggested fix resolved the error.
From: Bill D <littus(a)icloud.com>
To: Philip Seeley <pseeley(a)au1.ibm.com>
Cc: littus(a)icloud.com, selinux(a)lists.fedoraproject.org
Date: 26/05/2017 05:19
Subject: Re: Controlling execution of Java JAR files with SELinux RBAC
------------------------------------------------------------------------
Hello Phil:
Thank you for the response. Your suggested fix resolved the error.
However, I am unable to get the desired effect.
I am not able to prevent a Linux user from running/accessing a Java
JAR file using SELinux categories.
I would appreciate any other hints to make this work.
Following are the details of what I did:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
git_shell_u user SystemLow SystemLow
git_shell_r
guest_u user SystemLow SystemLow
guest_r
root user SystemLow SystemLow-SystemHigh
staff_r sysadm_r system_r unconfined_r
staff_u user SystemLow SystemLow-SystemHigh
staff_r sysadm_r system_r unconfined_r
sysadm_u user SystemLow SystemLow-SystemHigh
sysadm_r
system_u user SystemLow SystemLow-SystemHigh
system_r unconfined_r
unconfined_u user SystemLow SystemLow-SystemHigh
system_r unconfined_r
user_u user SystemLow SystemLow user_r
xguest_u user SystemLow SystemLow
xguest_r
# semanage user -m -r s0-s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
git_shell_u user SystemLow SystemLow
git_shell_r
guest_u user SystemLow SystemLow
guest_r
root user SystemLow SystemLow-SystemHigh
staff_r sysadm_r system_r unconfined_r
staff_u user SystemLow SystemLow-SystemHigh
staff_r sysadm_r system_r unconfined_r
sysadm_u user SystemLow SystemLow-SystemHigh
sysadm_r
system_u user SystemLow SystemLow-SystemHigh
system_r unconfined_r
unconfined_u user SystemLow SystemLow-SystemHigh
system_r unconfined_r
user_u user SystemLow SystemLow-SystemHigh user_r
xguest_u user SystemLow SystemLow
xguest_r
# cat setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans restart
Stopping mcstransd: [ OK ]
Starting mcstransd: [ OK ]
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd foo
# useradd bar
# passwd foo
Changing password for user foo.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# passwd bar
Changing password for user bar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a foo
# semanage login -a bar
# chcat -l -- +NetworkAdministrator foo
# chcat -l -- +Operator bar
# chcat -L -l bar foo
bar: s0:c0.c1023,c1 <===== why is it not just s0:c1?
foo: s0:c0.c1023,c0 <===== why is it not just just s0:c0?
# chcat -- +NetworkAdministrator /usr/local/soup/bin/Foo.jar
# ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
/usr/local/soup/bin/Foo.jar
Now Login as the 'foo' Linux user and notice that it can run Foo.jar
as expected
$ whoami
foo
$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh
$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
/usr/local/soup/bin/Foo.jar
$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo
Now login as the 'bar' Linux user and notice that it can also run
Foo.jar which is NOT expected
$ whoami
bar
$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh
$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
/usr/local/soup/bin/Foo.jar
$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo
Why is Linux user 'bar' able to run/access Foo.jar when its category
doesn't match Foo.jar's category?
Following is how to create the Foo.jar file:
$ cat Foo.java
public class Foo {
public static void main(String[] args) {
System.out.println("Hello Foo");
}
}
$ cat manifest.txt
Main-Class:
$ javac Foo.java
$ jar cvfe Foo.jar Foo Foo.class
added manifest
adding: Foo.class(in = 409) (out= 282)(deflated 31%)
Best Regards,
Bill
On 05/24/2017 04:39 PM, Philip Seeley wrote:
Hi Bill,
I think this was my mistake in transcribing. The user_u line
after the "semanage user -m" command should be:
user_u user SystemLow
SystemLow-SystemHigh user_r
So the command should have been:
semanage user -m -r s0-s0:c0.c1023 user_u
Or even:
semanage user -m -r SystemLow-SystemHigh user_u
Appologies for that.
Phil
Inactive hide details for Bill D ---25/05/2017
02:28:19---Hello Phil, I have tried your suggestion of
extending the user_u defiBill D ---25/05/2017 02:28:19---Hello
Phil, I have tried your suggestion of extending the user_u
definition without
From: Bill D _<littus(a)icloud.com>_ <mailto:littus@icloud.com>
To: Philip Seeley _<pseeley(a)au1.ibm.com>_
<mailto:pseeley@au1.ibm.com>
Cc: _littus(a)icloud.com_ <mailto:littus@icloud.com>,
_selinux(a)lists.fedoraproject.org_
<mailto:selinux@lists.fedoraproject.org>
Date: 25/05/2017 02:28
Subject: Re: Controlling execution of Java JAR files with
SELinux RBAC
------------------------------------------------------------------------
Hello Phil,
I have tried your suggestion of extending the user_u
definition without success:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS
Range SELinux Roles
git_shell_u user SystemLow
SystemLow git_shell_r
guest_u user SystemLow
SystemLow guest_r
root user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
staff_u user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
sysadm_u user SystemLow
SystemLow-SystemHigh sysadm_r
system_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
unconfined_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
user_u user SystemLow
SystemLow user_r
xguest_u user SystemLow
SystemLow xguest_r
# semanage user -m -r s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS
Range SELinux Roles
git_shell_u user SystemLow
SystemLow git_shell_r
guest_u user SystemLow
SystemLow guest_r
root user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
staff_u user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
sysadm_u user SystemLow
SystemLow-SystemHigh sysadm_r
system_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
unconfined_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
user_u user SystemLow
SystemHigh user_r
xguest_u user SystemLow
SystemLow xguest_r
# useradd kate
# passwd kate
Changing password for user kate.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a kate
libsemanage.validate_handler: MLS range s0 for Unix user
regularuser exceeds allowed range s0:c0.c1023 for SELinux user
user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [regularuser ->
(user_u, s0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over
records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
I would greatly appreciate any other hints to make this work.
Regards,
Bill
On 5/23/2017 8:42 PM, Philip Seeley wrote:
Hi Bill,
This is probably because the default RHEL6
configuration does not include any categories
in the user_u SELinux user's range:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS
Range SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
You probably have to extend the user
definition to include the categories you're
using. As an example, this gives all categories:
# semanage user -m -r s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS
Range SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r
unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0
s0:c0.c1023 user_r
Hope that helps.
Phil
Inactive hide details for Bill Durant
---24/05/2017 12:34:53---Hello Phil: Thank you
for the suggestion. I have tried the stepBill
Durant ---24/05/2017 12:34:53---Hello Phil:
Thank you for the suggestion. I have tried the
steps from the URL that
From: Bill Durant _<littus(a)icloud.com>_
<mailto:littus@icloud.com>
To: Philip Seeley _<pseeley(a)au1.ibm.com>_
<mailto:pseeley@au1.ibm.com>
Cc: _littus(a)icloud.com_
<mailto:littus@icloud.com>,
_selinux(a)lists.fedoraproject.org_
<mailto:selinux@lists.fedoraproject.org>
Date: 24/05/2017 12:34
Subject: Re: Controlling execution of Java JAR
files with SELinux RBAC
------------------------------------------------------------------------
Hello Phil:
Thank you for the suggestion. I have tried
the steps from the URL that you provided
without success.
I get an error when I try to assign Linux user
mary to an SELinux login as follows:
# cat /etc/redhat-release
CentOS release 6.9 (Final)
;;; Add "s0:c0=NetworkAdministrator" and
"s0:c1=Operator" to
/etc/selinux/targeted/setrans.conf
# cat /etc/selinux/targeted/setrans.conf
#
# Multi-Category Security translation table
for SELinux
#
# Uncomment the following to disable
translation libary
# disable=1
#
# Objects can be categorized with 0-1023
categories defined by the admin.
# Objects can be in more than one category at
a time.
# Categories are stored in the system as
c0-c1023. Users can use this
# table to translate the categories into a
more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans start
# chcat -L
s0:c0
NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023
SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd mary
# passwd mary
Changing password for user mary.
New password:
Retype new password:
passwd: all authentication tokens updated
successfully.
# semanage login -a mary
# chcat -l -- +NetworkAdministrator mary
libsemanage.validate_handler: MLS range
s0-s0:c0 for Unix user mary exceeds allowed
range s0 for SELinux user user_u (No such file
or directory).
libsemanage.validate_handler: seuser mapping
[mary -> (user_u, s0-s0:c0)] is invalid (No
such file or directory).
libsemanage.dbase_llist_iterate: could not
iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage
transaction
I would appreciate any hints on how to resolve
that error.
Thanks!
Bill
On 05/23/2017 05:49 PM, Philip Seeley wrote:
Hi Bill,
Have you
thought about
using categories?_
__https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getst...
Cheers
Phil
Inactive hide
details for
Bill D
---24/05/2017
09:52:00---Greetings:
I have been
trying to
figure out how
to control the
executBill D
---24/05/2017
09:52:00---Greetings:
I have been
trying to
figure out how
to control the
execution of Java
From: Bill D
_<littus(a)icloud.com>_
<mailto:littus@icloud.com>
To:
_selinux(a)lists.fedoraproject.org_
<mailto:selinux@lists.fedoraproject.org>
Cc:
_littus(a)icloud.com_
<mailto:littus@icloud.com>
Date:
24/05/2017 09:52
Subject:
Controlling
execution of
Java JAR files
with SELinux RBAC
------------------------------------------------------------------------
Greetings:
I have been
trying to
figure out how
to control the
execution of Java
JAR files with
SELinux RBAC.
I have two
Linux users
named joe and
mary and two
Java JAR files
named
jack.jar and
mary.jar.
Here is how
jack executes
jack.jar: java
-jar jack.jar
Here is how
mary executes
mary.jar: java
-jar mary.jar
I would like
SELinux RBAC
to prevent
jack from
executing
mary.jar and
prevent mary
from executing
jack.jar.
How to
configure
SELinux RBAC
to make that
happen?
I have tried
various
approaches
without
success. I
have also
tried the
steps in
_http://forums.fedoraforum.org/archive/index.php/t-222938.html_
without success.
I would
greatly
appreciate any
hints.
Regards,
Bill
_______________________________________________
selinux
mailing list
--
_selinux(a)lists.fedoraproject.org_
<mailto:selinux@lists.fedoraproject.org>
To unsubscribe
send an email
to
_selinux-leave(a)lists.fedoraproject.org_
<mailto:selinux-leave@lists.fedoraproject.org>
_______________________________________________
selinux
mailing list
--
_selinux(a)lists.fedoraproject.org_
<mailto:selinux@lists.fedoraproject.org>
To unsubscribe
send an email
to
_selinux-leave(a)lists.fedoraproject.org_
<mailto:selinux-leave@lists.fedoraproject.org>