Hi.
On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl <mgrepl(a)redhat.com> wrote:
On 11/09/2016 08:54 PM, Jeff Becker wrote:
> Hi. I successfully compiled and loaded the following policy file on
> RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I
> run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in
the
> attributes. How do I enable UBAC? Thanks.
Hi Jeff,
we don't build Fedora/RHEL distribution policy with UBAC support.
I suspected that.
You
would need to rebuild the policy from srpms to enable it.
What is your intention with UBAC?
My use case is that I'd like to have several file types with associated
SELinux users/roles, such that SELinux users of a certain type cannot
access files associated with another user's type, regardless of what
application is used for the access, e.g., my foo_u user below would not be
able to access files of type bar_t (associated with SELinux user bar_u). I
need this to be under mandatory access control, so it seems that multi
category security (MCS) labels would not work, as they are discretionary.
Is there another way, e.g., role based access control (RBAC) that could be
used? Thanks.
-jeff
>
> -jeff
>
> ------------------------------------------------------------
------------------------------------------------------------
--------------------------------------
>
> policy_module(foo, 1.0.0)
>
> ########################################
> #
> # Declarations
> #
> userdom_unpriv_user_template(foo)
>
> ########################################
> #
> # foo local policy
> #
>
> domain_use_interactive_fds(foo_t)
>
> files_read_etc_files(foo_t)
>
> miscfiles_read_localization(foo_t)
>
> ubac_constrained(foo_t)
>
>
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.