Hi. I successfully compiled and loaded the following policy file on RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in the attributes. How do I enable UBAC? Thanks.

-jeff -------------------------------------------------------------------------------------------------------------------------------------------------------------- policy_module(foo, 1.0.0) ######################################## # # Declarations # userdom_unpriv_user_template(foo) ######################################## # # foo local policy # domain_use_interactive_fds(foo_t) files_read_etc_files(foo_t) miscfiles_read_localization(foo_t) ubac_constrained(foo_t) _______________________________________________ selinux mailing list -- selinux(a)lists.fedoraproject.org To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org

Hi. On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl <mgrepl(a)redhat.com&gt; wrote: > On 11/09/2016 08:54 PM, Jeff Becker wrote: > > Hi. I successfully compiled and loaded the following policy file on > > RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I > > run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in the > > attributes. How do I enable UBAC? Thanks. > > Hi Jeff, > we don't build Fedora/RHEL distribution policy with UBAC support. I suspected that. > You > would need to rebuild the policy from srpms to enable it

> > What is your intention with UBAC? > My use case is that I'd like to have several file types with associated SELinux users/roles, such that SELinux users of a certain type cannot access files associated with another user's type, regardless of what application is used for the access, e.g., my foo_u user below would not be able to access files of type bar_t (associated with SELinux user bar_u). I need this to be under mandatory access control, so it seems that multi category security (MCS) labels would not work, as they are discretionary. Is there another way, e.g., role based access control (RBAC) that could be used? Thanks. -jeff > > > > > -jeff > > > > ------------------------------------------------------------ > ------------------------------------------------------------ > -------------------------------------- > > > > policy_module(foo, 1.0.0) > > > > ######################################## > > # > > # Declarations > > # > > userdom_unpriv_user_template(foo) > > > > ######################################## > > # > > # foo local policy > > # > > > > domain_use_interactive_fds(foo_t) > > > > files_read_etc_files(foo_t) > > > > miscfiles_read_localization(foo_t) > > > > ubac_constrained(foo_t) > > > > > > > > _______________________________________________ > > selinux mailing list -- selinux(a)lists.fedoraproject.org > > To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org > > > > > -- > Miroslav Grepl > Senior Software Engineer, SELinux Solutions > Red Hat, Inc. >

Hi. I'm wondering if anyone has any input on this. After building the Fedora SELinux policy with UBAC support (and rebooting), I've created two SELinux users: {user_a role_a type_a} and {user_b role_b type_b}, and both type_a and type_b have the ubac_constrained_type attribute set. My understanding of UBAC led me to believe that user_a would not have access to a file of type type_b. Similarly, user_b would not have access to a file of type type_a. However, these accesses are allowed. What else do I need to do to get this to work. Thanks. -jeff On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker <jeff.c.becker(a)gmail.com&gt; wrote: > Some progress... > > On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker <jeff.c.becker(a)gmail.com&gt; > wrote: > >> Hi. >> >> On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl <mgrepl(a)redhat.com&gt; >> wrote: >> >>> On 11/09/2016 08:54 PM, Jeff Becker wrote: >>> > Hi. I successfully compiled and loaded the following policy file on >>> > RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I >>> > run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in >>> the >>> > attributes. How do I enable UBAC? Thanks. >>> >>> Hi Jeff, >>> we don't build Fedora/RHEL distribution policy with UBAC support. >> >> >> I suspected that. >> >> >>> You >>> would need to rebuild the policy from srpms to enable it >> >> > I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from > http://kojipkgs.fedoraproject.org. I figured this was close to what I > have installed (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled > UBAC in build.conf, and built and installed the policy. When I rebooted, I > could see that ubac_constrained_type attribute was present on several types > (including my new ones that I recompiled and loaded). However, it's not > working the way I thought it should. If I log in with SELinux user A and I > try to access a file from SELinux user B (both types have > ubac_constrained_type attribute set), I thought access would be denied, but > it's not, and nothing shows up in the audit log. Am I misunderstanding or > missing something? Thanks. > > -jeff > >> >>> >>> What is your intention with UBAC? >>> >> >> My use case is that I'd like to have several file types with associated >> SELinux users/roles, such that SELinux users of a certain type cannot >> access files associated with another user's type, regardless of what >> application is used for the access, e.g., my foo_u user below would not be >> able to access files of type bar_t (associated with SELinux user bar_u). I >> need this to be under mandatory access control, so it seems that multi >> category security (MCS) labels would not work, as they are discretionary. >> Is there another way, e.g., role based access control (RBAC) that could be >> used? Thanks. >> >> -jeff >> >>> >>> > >>> > -jeff >>> > >>> > ------------------------------------------------------------ >>> ------------------------------------------------------------ >>> -------------------------------------- >>> > >>> > policy_module(foo, 1.0.0) >>> > >>> > ######################################## >>> > # >>> > # Declarations >>> > # >>> > userdom_unpriv_user_template(foo) >>> > >>> > ######################################## >>> > # >>> > # foo local policy >>> > # >>> > >>> > domain_use_interactive_fds(foo_t) >>> > >>> > files_read_etc_files(foo_t) >>> > >>> > miscfiles_read_localization(foo_t) >>> > >>> > ubac_constrained(foo_t) >>> > >>> > >>> > >>> > _______________________________________________ >>> > selinux mailing list -- selinux(a)lists.fedoraproject.org >>> > To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org >>> > >>> >>> >>> -- >>> Miroslav Grepl >>> Senior Software Engineer, SELinux Solutions >>> Red Hat, Inc. >>> >> >> >

On 11/22/2016 02:08 AM, Jeff Becker wrote: > I finally got to see this work by turning SELinux enforcement to ON > instead of permissive. The reason I wasn't seeing access denials in the > audit log is because they were blocked by dontaudit rules in > userdom_unpriv_user_template. It would be nice if I could simply turn > off some of these dontaudit rules. (I know I can turn them all off with > semodule -DB) Great news ;-) I apologize that I was not responding. I was on vacation. So if you have another questions I am ready to help you. Thank you.

> > -jeff > > On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker <jeff.c.becker(a)gmail.com > <mailto:jeff.c.becker@gmail.com>> wrote: > > Hi. I'm wondering if anyone has any input on this. After building > the Fedora SELinux policy with UBAC support (and rebooting), I've > created two SELinux users: {user_a role_a type_a} and {user_b role_b > type_b}, and both type_a and type_b have the ubac_constrained_type > attribute set. My understanding of UBAC led me to believe that > user_a would not have access to a file of type type_b. Similarly, > user_b would not have access to a file of type type_a. However, > these accesses are allowed. What else do I need to do to get this to > work. Thanks. > > -jeff > > On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker > <jeff.c.becker(a)gmail.com <mailto:jeff.c.becker@gmail.com>> wrote: > > Some progress... > > On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker > <jeff.c.becker(a)gmail.com <mailto:jeff.c.becker@gmail.com>> wrote: > > Hi. > > On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl > <mgrepl(a)redhat.com <mailto:mgrepl@redhat.com>> wrote: > > On 11/09/2016 08:54 PM, Jeff Becker wrote: > > Hi. I successfully compiled and loaded the following > policy file on > > RHEL7 with the latest (as of yesterday) SELinux rpms. > However, when I > > run "seinfo -tfoo_t -x", I don't see > ubac_constrained_type listed in the > > attributes. How do I enable UBAC? Thanks. > > Hi Jeff, > we don't build Fedora/RHEL distribution policy with UBAC > support. > > > I suspected that. > > > You > would need to rebuild the policy from srpms to enable it > > > I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from > http://kojipkgs.fedoraproject.org > <http://kojipkgs.fedoraproject.org>;. I figured this was close to > what I have installed > (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in > build.conf, and built and installed the policy. When I rebooted, > I could see that ubac_constrained_type attribute was present on > several types (including my new ones that I recompiled and > loaded). However, it's not working the way I thought it should. > If I log in with SELinux user A and I try to access a file from > SELinux user B (both types have ubac_constrained_type attribute > set), I thought access would be denied, but it's not, and > nothing shows up in the audit log. Am I misunderstanding or > missing something? Thanks. > > -jeff > > > > What is your intention with UBAC? > > > My use case is that I'd like to have several file types with > associated SELinux users/roles, such that SELinux users of a > certain type cannot access files associated with another > user's type, regardless of what application is used for the > access, e.g., my foo_u user below would not be able to > access files of type bar_t (associated with SELinux user > bar_u). I need this to be under mandatory access control, so > it seems that multi category security (MCS) labels would not > work, as they are discretionary. Is there another way, e.g., > role based access control (RBAC) that could be used? Thanks. > > -jeff > > > > > > -jeff > > > > > ------------------------------ ------------------------------------------------------------ -------------------------------------------------------------------- > > > > policy_module(foo, 1.0.0) > > > > ######################################## > > # > > # Declarations > > # > > userdom_unpriv_user_template(foo) > > > > ######################################## > > # > > # foo local policy > > # > > > > domain_use_interactive_fds(foo_t) > > > > files_read_etc_files(foo_t) > > > > miscfiles_read_localization(foo_t) > > > > ubac_constrained(foo_t) > > > > > > > > _______________________________________________ > > selinux mailing list -- > selinux(a)lists.fedoraproject.org > <mailto:selinux@lists.fedoraproject.org> > > To unsubscribe send an email to > selinux-leave(a)lists.fedoraproject.org > <mailto:selinux-leave@lists.fedoraproject.org> > > > > > -- > Miroslav Grepl > Senior Software Engineer, SELinux Solutions > Red Hat, Inc. > > > > > > > > _______________________________________________ > selinux mailing list -- selinux(a)lists.fedoraproject.org > To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.

Hi Jeff, Have you considered using categories? Assigning a category per-user or user group might give you the control you need.

Cheers Phil [image: Inactive hide details for Jeff Becker ---30/11/2016 06:28:48---Hi, On Tue, Nov 29, 2016 at 1:35 AM, Miroslav Grepl <mgrepl@redh]Jeff Becker ---30/11/2016 06:28:48---Hi, On Tue, Nov 29, 2016 at 1:35 AM, Miroslav Grepl <mgrepl(a)redhat.com&gt; wrote: From: Jeff Becker <jeff.c.becker(a)gmail.com&gt; To: Miroslav Grepl <mgrepl(a)redhat.com&gt; Cc: selinux(a)lists.fedoraproject.org Date: 30/11/2016 06:28 Subject: Re: user based access control ------------------------------ Hi, On Tue, Nov 29, 2016 at 1:35 AM, Miroslav Grepl <*mgrepl(a)redhat.com* <mgrepl(a)redhat.com&gt;&gt; wrote: On 11/22/2016 02:08 AM, Jeff Becker wrote: > I finally got to see this work by turning SELinux enforcement to ON > instead of permissive. The reason I wasn't seeing access denials in the > audit log is because they were blocked by dontaudit rules in > userdom_unpriv_user_template. It would be nice if I could simply turn > off some of these dontaudit rules. (I know I can turn them all off with > semodule -DB) Great news ;-) I apologize that I was not responding. I was on vacation. So if you have another questions I am ready to help you. Thank you. I do have another question. I didn't realize that setting UBAC=y in the targeted policy make user_home_dir_t ubac_constrained. That means user A may not access user B's files no matter what type they are. What I'd like is some hybrid where User A's files that are tagged "don't share" can't be seen by other users, but all of User A's other files can be seen if they have the appropriate DAC ACL's. I was thinking of using audit2allow to create a policy mod that allowed access to user_home_dir_t, but if there's a better way, I'd like to hear about it. Thanks. -jeff > > -jeff > > On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker < *jeff.c.becker(a)gmail.com* <jeff.c.becker(a)gmail.com&gt; > <mailto:*jeff.c.becker@gmail.com* <jeff.c.becker(a)gmail.com&gt;&gt;&gt; wrote: > > Hi. I'm wondering if anyone has any input on this. After building > the Fedora SELinux policy with UBAC support (and rebooting), I've > created two SELinux users: {user_a role_a type_a} and {user_b role_b > type_b}, and both type_a and type_b have the ubac_constrained_type > attribute set. My understanding of UBAC led me to believe that > user_a would not have access to a file of type type_b. Similarly, > user_b would not have access to a file of type type_a. However, > these accesses are allowed. What else do I need to do to get this to > work. Thanks. > > -jeff > > On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker > <*jeff.c.becker(a)gmail.com* <jeff.c.becker(a)gmail.com&gt; <mailto: *jeff.c.becker(a)gmail.com* <jeff.c.becker(a)gmail.com&gt;&gt;&gt; wrote: > > Some progress... > > On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker > <*jeff.c.becker(a)gmail.com* <jeff.c.becker(a)gmail.com&gt; <mailto: *jeff.c.becker(a)gmail.com* <jeff.c.becker(a)gmail.com&gt;&gt;&gt; wrote: > > Hi. > > On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl > <*mgrepl(a)redhat.com* <mgrepl(a)redhat.com&gt; <mailto: *mgrepl(a)redhat.com* <mgrepl(a)redhat.com&gt;&gt;&gt; wrote: > > On 11/09/2016 08:54 PM, Jeff Becker wrote: > > Hi. I successfully compiled and loaded the following > policy file on > > RHEL7 with the latest (as of yesterday) SELinux rpms. > However, when I > > run "seinfo -tfoo_t -x", I don't see > ubac_constrained_type listed in the > > attributes. How do I enable UBAC? Thanks. > > Hi Jeff, > we don't build Fedora/RHEL distribution policy with UBAC > support. > > > I suspected that. > > > You > would need to rebuild the policy from srpms to enable it > > > I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from > *http://kojipkgs.fedoraproject.org* <http://kojipkgs.fedoraproject.org/> > <*http://kojipkgs.fedoraproject.org* <http://kojipkgs.fedoraproject.org/>>;. I figured this was close to > what I have installed > (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in > build.conf, and built and installed the policy. When I rebooted, > I could see that ubac_constrained_type attribute was present on > several types (including my new ones that I recompiled and > loaded). However, it's not working the way I thought it should. > If I log in with SELinux user A and I try to access a file from > SELinux user B (both types have ubac_constrained_type attribute > set), I thought access would be denied, but it's not, and > nothing shows up in the audit log. Am I misunderstanding or > missing something? Thanks. > > -jeff > > > > What is your intention with UBAC? > > > My use case is that I'd like to have several file types with > associated SELinux users/roles, such that SELinux users of a > certain type cannot access files associated with another > user's type, regardless of what application is used for the > access, e.g., my foo_u user below would not be able to > access files of type bar_t (associated with SELinux user > bar_u). I need this to be under mandatory access control, so > it seems that multi category security (MCS) labels would not > work, as they are discretionary. Is there another way, e.g., > role based access control (RBAC) that could be used? Thanks. > > -jeff > > > > > > -jeff > > > > > ----------------------------- ------------------------------------------------------------ --------------------------------------------------------------------- > > > > policy_module(foo, 1.0.0) > > > > ######################################## > > # > > # Declarations > > # > > userdom_unpriv_user_template(foo) > > > > ######################################## > > # > > # foo local policy > > # > > > > domain_use_interactive_fds(foo_t) > > > > files_read_etc_files(foo_t) > > > > miscfiles_read_localization(foo_t) > > > > ubac_constrained(foo_t) > > > > > > > > _______________________________________________ > > selinux mailing list -- > *selinux(a)lists.fedoraproject.org* <selinux(a)lists.fedoraproject.org&gt; > <mailto:*selinux@lists.fedoraproject.org* <selinux(a)lists.fedoraproject.org&gt;&gt; > > To unsubscribe send an email to > *selinux-leave(a)lists.fedoraproject.org* <selinux-leave(a)lists.fedoraproject.org&gt; > <mailto:*selinux-leave@lists.fedoraproject.org* <selinux-leave(a)lists.fedoraproject.org&gt;&gt; > > > > > -- > Miroslav Grepl > Senior Software Engineer, SELinux Solutions > Red Hat, Inc. > > > > > > > > _______________________________________________ > selinux mailing list -- *selinux(a)lists.fedoraproject.org* <selinux(a)lists.fedoraproject.org&gt; > To unsubscribe send an email to *selinux-leave(a)lists.fedoraproject.org* <selinux-leave(a)lists.fedoraproject.org&gt; > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux(a)lists.fedoraproject.org To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org