Hi Bill,

I saw in a previous post that you were using CentOS 6.9 so this should work for you. It looks like the login configuration is not quite right as both users are showing SystemLow-SystemHigh when they logon.

Check the login config shows they only have the categories they need, i.e. jack has c0 and mary has c1.

If they're not correct try setting the categories rather than adding to them with a "+":

[root@centos6 ~]# chcat -l -- c0 jack
[root@centos6 ~]# chcat -l -- c1 mary

[root@centos6 ~]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ unconfined_u s0-s0:c0.c1023
jack user_u s0-s0:c0
mary user_u s0-s0:c1
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023

Then with:

# ll -Z /usr/local/bin/
-rw-r--r--. root root unconfined_u:object_r:bin_t:s0:c0 jack
-rw-r--r--. root root unconfined_u:object_r:bin_t:s0:c1 mary
[root@centos6 ~]# cat /etc/system-release
CentOS release 6.9 (Final)

as jack:

[jack@centos6 ~]$ id
uid=500(jack) gid=500(jack) groups=500(jack) context=user_u:user_r:user_t:s0-s0:c0
[jack@centos6 ~]$ cat /usr/local/bin/jack
Hi
[jack@centos6 ~]$ cat /usr/local/bin/mary
cat: /usr/local/bin/mary: Permission denied

and as mary:

[mary@centos6 ~]$ id
uid=501(mary) gid=501(mary) groups=501(mary) context=user_u:user_r:user_t:s0-s0:c1
[mary@centos6 ~]$ cat /usr/local/bin/jack
cat: /usr/local/bin/jack: Permission denied
[mary@centos6 ~]$ cat /usr/local/bin/mary
Hi

Cheers

Phil

Bill D ---26/05/2017 05:19:44---Hello Phil: Thank you for the response. Your suggested fix resolved the error.

From: Bill D <littus@icloud.com>
To: Philip Seeley <pseeley@au1.ibm.com>
Cc: littus@icloud.com, selinux@lists.fedoraproject.org
Date: 26/05/2017 05:19
Subject: Re: Controlling execution of Java JAR files with SELinux RBAC

Hello Phil:

Thank you for the response. Your suggested fix resolved the error.

However, I am unable to get the desired effect.

I am not able to prevent a Linux user from running/accessing a Java JAR file using SELinux categories.

I would appreciate any other hints to make this work.

Following are the details of what I did:

# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level MCS Range                      SELinux Roles

git_shell_u     user       SystemLow SystemLow                      git_shell_r
guest_u         user       SystemLow SystemLow                      guest_r
root            user       SystemLow SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
staff_u         user       SystemLow SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
sysadm_u        user       SystemLow SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow SystemLow-SystemHigh           system_r unconfined_r
unconfined_u    user       SystemLow SystemLow-SystemHigh           system_r unconfined_r
user_u          user       SystemLow SystemLow                      user_r
xguest_u        user       SystemLow SystemLow                      xguest_r

# semanage user -m -r s0-s0:c0.c1023 user_u

# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level MCS Range                      SELinux Roles

git_shell_u     user       SystemLow SystemLow                      git_shell_r
guest_u         user       SystemLow SystemLow                      guest_r
root            user       SystemLow SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
staff_u         user       SystemLow SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
sysadm_u        user       SystemLow SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow SystemLow-SystemHigh           system_r unconfined_r
unconfined_u    user       SystemLow SystemLow-SystemHigh           system_r unconfined_r
user_u          user       SystemLow SystemLow-SystemHigh           user_r
xguest_u        user       SystemLow SystemLow                      xguest_r

# cat setrans.conf

#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

# service mcstrans restart
Stopping mcstransd:                                        [ OK ]
Starting mcstransd:                                        [ OK ]

# chcat -L
s0:c0                          NetworkAdministrator
s0:c1                          Operator
s0                             SystemLow
s0-s0:c0.c1023                 SystemLow-SystemHigh
s0:c0.c1023                    SystemHigh

# useradd foo

# useradd bar

# passwd foo
Changing password for user foo.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# passwd bar
Changing password for user bar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# semanage login -a foo

# semanage login -a bar

# chcat -l -- +NetworkAdministrator foo

# chcat -l -- +Operator bar

# chcat -L -l bar foo
bar: s0:c0.c1023,c1    <===== why is it not just s0:c1?
foo: s0:c0.c1023,c0    <===== why is it not just just s0:c0?

# chcat -- +NetworkAdministrator /usr/local/soup/bin/Foo.jar

# ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar

Now Login as the 'foo' Linux user and notice that it can run Foo.jar as expected

$ whoami
foo

$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh

$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar

$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo

Now login as the 'bar' Linux user and notice that it can also run Foo.jar which is NOT expected

$ whoami
bar

$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh

$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar

$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo

Why is Linux user 'bar' able to run/access Foo.jar when its category doesn't match Foo.jar's category?

Following is how to create the Foo.jar file:

$ cat Foo.java
public class Foo {
    public static void main(String[] args) {
        System.out.println("Hello Foo");
    }
}

$ cat manifest.txt
Main-Class:

$ javac Foo.java

$ jar cvfe Foo.jar Foo Foo.class
added manifest
adding: Foo.class(in = 409) (out= 282)(deflated 31%)

Best Regards,

Bill

On 05/24/2017 04:39 PM, Philip Seeley wrote:

i Bill,

I think this was my mistake in transcribing. The user_u line after the "semanage user -m" command should be:

user_u user SystemLow SystemLow-SystemHigh user_r
So the command should have been:
semanage user -m -r s0-s0:c0.c1023 user_u
Or even:
semanage user -m -r SystemLow-SystemHigh user_u
Appologies for that.
Phil

Bill D ---25/05/2017 02:28:19---Hello Phil, I have tried your suggestion of extending the user_u definition without

From: Bill D <littus@icloud.com>
To: Philip Seeley <pseeley@au1.ibm.com>
Cc: littus@icloud.com, selinux@lists.fedoraproject.org
Date: 25/05/2017 02:28
Subject: Re: Controlling execution of Java JAR files with SELinux RBAC

I have tried your suggestion of extending the user_u definition without success:

# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level MCS Range                      SELinux Roles

git_shell_u     user       SystemLow SystemLow                      git_shell_r
guest_u         user       SystemLow SystemLow                      guest_r
root            user       SystemLow SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
staff_u         user       SystemLow SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
sysadm_u        user       SystemLow SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow SystemLow-SystemHigh           system_r unconfined_r
unconfined_u    user       SystemLow SystemLow-SystemHigh           system_r unconfined_r
user_u          user       SystemLow SystemLow                      user_r
xguest_u        user       SystemLow SystemLow                      xguest_r

# semanage user -m -r s0:c0.c1023 user_u

# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level MCS Range                      SELinux Roles

git_shell_u     user       SystemLow SystemLow                      git_shell_r
guest_u         user       SystemLow SystemLow                      guest_r
root            user       SystemLow SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
staff_u         user       SystemLow SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
sysadm_u        user       SystemLow SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow SystemLow-SystemHigh           system_r unconfined_r
unconfined_u    user       SystemLow SystemLow-SystemHigh           system_r unconfined_r
user_u          user       SystemLow SystemHigh                     user_r
xguest_u        user       SystemLow SystemLow                      xguest_r

# useradd kate

# passwd kate
Changing password for user kate.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# semanage login -a kate
libsemanage.validate_handler: MLS range s0 for Unix user regularuser exceeds allowed range s0:c0.c1023 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [regularuser -> (user_u, s0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

I would greatly appreciate any other hints to make this work.

Regards,

Bill

On 5/23/2017 8:42 PM, Philip Seeley wrote:

Hi Bill,

This is probably because the default RHEL6 configuration does not include any categories in the user_u SELinux user's range:

# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r

You probably have to extend the user definition to include the categories you're using. As an example, this gives all categories:

# semanage user -m -r s0:c0.c1023 user_u # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0:c0.c1023 user_r

Hope that helps.

Phil

Bill Durant ---24/05/2017 12:34:53---Hello Phil: Thank you for the suggestion. I have tried the steps from the URL that

From:

Bill Durant

<littus@icloud.com>

To:

Philip Seeley

<pseeley@au1.ibm.com>

Cc:

littus@icloud.com

selinux@lists.fedoraproject.org

Date:

24/05/2017 12:34

Subject:

Re: Controlling execution of Java JAR files with SELinux RBAC

Thank you for the suggestion. I have tried the steps from the URL that you provided without success.

I get an error when I try to assign Linux user mary to an SELinux login as follows:

# cat /etc/redhat-release
CentOS release 6.9 (Final)

;;; Add "s0:c0=NetworkAdministrator" and "s0:c1=Operator" to /etc/selinux/targeted/setrans.conf

# cat /etc/selinux/targeted/setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

# service mcstrans start

# chcat -L
s0:c0                          NetworkAdministrator
s0:c1                          Operator
s0                             SystemLow
s0-s0:c0.c1023                 SystemLow-SystemHigh
s0:c0.c1023                    SystemHigh

# useradd mary
# passwd mary
Changing password for user mary.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# semanage login -a mary

# chcat -l -- +NetworkAdministrator mary
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user mary exceeds allowed range s0 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [mary -> (user_u, s0-s0:c0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

I would appreciate any hints on how to resolve that error.

Thanks!

Bill

On 05/23/2017 05:49 PM, Philip Seeley wrote:

Hi Bill,

Have you thought about using categories?

https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html

Cheers

Phil

Bill D ---24/05/2017 09:52:00---Greetings: I have been trying to figure out how to control the execution of Java

From:

Bill D

<littus@icloud.com>

To:

selinux@lists.fedoraproject.org

Cc:

littus@icloud.com

Date:

24/05/2017 09:52

Subject:

Controlling execution of Java JAR files with SELinux RBAC

Greetings: I have been trying to figure out how to control the execution of Java JAR files with SELinux RBAC. I have two Linux users named joe and mary and two Java JAR files named jack.jar and mary.jar. Here is how jack executes jack.jar: java -jar jack.jar Here is how mary executes mary.jar: java -jar mary.jar I would like SELinux RBAC to prevent jack from executing mary.jar and prevent mary from executing jack.jar. How to configure SELinux RBAC to make that happen? I have tried various approaches without success. I have also tried the steps in

http://forums.fedoraforum.org/archive/index.php/t-222938.html

without success. I would greatly appreciate any hints. Regards, Bill _______________________________________________ selinux mailing list --

selinux@lists.fedoraproject.org

To unsubscribe send an email to

selinux-leave@lists.fedoraproject.org

_______________________________________________ selinux mailing list --

selinux@lists.fedoraproject.org

To unsubscribe send an email to

selinux-leave@lists.fedoraproject.org