Hi. I successfully compiled and loaded the following policy file on RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in the attributes. How do I enable UBAC? Thanks.
-jeff
--------------------------------------------------------------------------------------------------------------------------------------------------------------
policy_module(foo, 1.0.0)
######################################## # # Declarations # userdom_unpriv_user_template(foo)
######################################## # # foo local policy #
domain_use_interactive_fds(foo_t)
files_read_etc_files(foo_t)
miscfiles_read_localization(foo_t)
ubac_constrained(foo_t)
On 11/09/2016 08:54 PM, Jeff Becker wrote:
Hi. I successfully compiled and loaded the following policy file on RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in the attributes. How do I enable UBAC? Thanks.
Hi Jeff, we don't build Fedora/RHEL distribution policy with UBAC support. You would need to rebuild the policy from srpms to enable it.
What is your intention with UBAC?
-jeff
policy_module(foo, 1.0.0)
######################################## # # Declarations # userdom_unpriv_user_template(foo)
######################################## # # foo local policy #
domain_use_interactive_fds(foo_t)
files_read_etc_files(foo_t)
miscfiles_read_localization(foo_t)
ubac_constrained(foo_t)
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi.
On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl mgrepl@redhat.com wrote:
On 11/09/2016 08:54 PM, Jeff Becker wrote:
Hi. I successfully compiled and loaded the following policy file on RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in the attributes. How do I enable UBAC? Thanks.
Hi Jeff, we don't build Fedora/RHEL distribution policy with UBAC support.
I suspected that.
You would need to rebuild the policy from srpms to enable it.
What is your intention with UBAC?
My use case is that I'd like to have several file types with associated SELinux users/roles, such that SELinux users of a certain type cannot access files associated with another user's type, regardless of what application is used for the access, e.g., my foo_u user below would not be able to access files of type bar_t (associated with SELinux user bar_u). I need this to be under mandatory access control, so it seems that multi category security (MCS) labels would not work, as they are discretionary. Is there another way, e.g., role based access control (RBAC) that could be used? Thanks.
-jeff
-jeff
policy_module(foo, 1.0.0)
######################################## # # Declarations # userdom_unpriv_user_template(foo)
######################################## # # foo local policy #
domain_use_interactive_fds(foo_t)
files_read_etc_files(foo_t)
miscfiles_read_localization(foo_t)
ubac_constrained(foo_t)
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
Some progress...
On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker jeff.c.becker@gmail.com wrote:
Hi.
On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl mgrepl@redhat.com wrote:
On 11/09/2016 08:54 PM, Jeff Becker wrote:
Hi. I successfully compiled and loaded the following policy file on RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in the attributes. How do I enable UBAC? Thanks.
Hi Jeff, we don't build Fedora/RHEL distribution policy with UBAC support.
I suspected that.
You would need to rebuild the policy from srpms to enable it
I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from http://kojipkgs.fedoraproject.org. I figured this was close to what I have installed (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in build.conf, and built and installed the policy. When I rebooted, I could see that ubac_constrained_type attribute was present on several types (including my new ones that I recompiled and loaded). However, it's not working the way I thought it should. If I log in with SELinux user A and I try to access a file from SELinux user B (both types have ubac_constrained_type attribute set), I thought access would be denied, but it's not, and nothing shows up in the audit log. Am I misunderstanding or missing something? Thanks.
-jeff
What is your intention with UBAC?
My use case is that I'd like to have several file types with associated SELinux users/roles, such that SELinux users of a certain type cannot access files associated with another user's type, regardless of what application is used for the access, e.g., my foo_u user below would not be able to access files of type bar_t (associated with SELinux user bar_u). I need this to be under mandatory access control, so it seems that multi category security (MCS) labels would not work, as they are discretionary. Is there another way, e.g., role based access control (RBAC) that could be used? Thanks.
-jeff
-jeff
policy_module(foo, 1.0.0)
######################################## # # Declarations # userdom_unpriv_user_template(foo)
######################################## # # foo local policy #
domain_use_interactive_fds(foo_t)
files_read_etc_files(foo_t)
miscfiles_read_localization(foo_t)
ubac_constrained(foo_t)
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
Hi. I'm wondering if anyone has any input on this. After building the Fedora SELinux policy with UBAC support (and rebooting), I've created two SELinux users: {user_a role_a type_a} and {user_b role_b type_b}, and both type_a and type_b have the ubac_constrained_type attribute set. My understanding of UBAC led me to believe that user_a would not have access to a file of type type_b. Similarly, user_b would not have access to a file of type type_a. However, these accesses are allowed. What else do I need to do to get this to work. Thanks.
-jeff
On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker jeff.c.becker@gmail.com wrote:
Some progress...
On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker jeff.c.becker@gmail.com wrote:
Hi.
On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl mgrepl@redhat.com wrote:
On 11/09/2016 08:54 PM, Jeff Becker wrote:
Hi. I successfully compiled and loaded the following policy file on RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in
the
attributes. How do I enable UBAC? Thanks.
Hi Jeff, we don't build Fedora/RHEL distribution policy with UBAC support.
I suspected that.
You would need to rebuild the policy from srpms to enable it
I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from http://kojipkgs.fedoraproject.org. I figured this was close to what I have installed (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in build.conf, and built and installed the policy. When I rebooted, I could see that ubac_constrained_type attribute was present on several types (including my new ones that I recompiled and loaded). However, it's not working the way I thought it should. If I log in with SELinux user A and I try to access a file from SELinux user B (both types have ubac_constrained_type attribute set), I thought access would be denied, but it's not, and nothing shows up in the audit log. Am I misunderstanding or missing something? Thanks.
-jeff
What is your intention with UBAC?
My use case is that I'd like to have several file types with associated SELinux users/roles, such that SELinux users of a certain type cannot access files associated with another user's type, regardless of what application is used for the access, e.g., my foo_u user below would not be able to access files of type bar_t (associated with SELinux user bar_u). I need this to be under mandatory access control, so it seems that multi category security (MCS) labels would not work, as they are discretionary. Is there another way, e.g., role based access control (RBAC) that could be used? Thanks.
-jeff
-jeff
policy_module(foo, 1.0.0)
######################################## # # Declarations # userdom_unpriv_user_template(foo)
######################################## # # foo local policy #
domain_use_interactive_fds(foo_t)
files_read_etc_files(foo_t)
miscfiles_read_localization(foo_t)
ubac_constrained(foo_t)
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
I finally got to see this work by turning SELinux enforcement to ON instead of permissive. The reason I wasn't seeing access denials in the audit log is because they were blocked by dontaudit rules in userdom_unpriv_user_template. It would be nice if I could simply turn off some of these dontaudit rules. (I know I can turn them all off with semodule -DB)
-jeff
On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker jeff.c.becker@gmail.com wrote:
Hi. I'm wondering if anyone has any input on this. After building the Fedora SELinux policy with UBAC support (and rebooting), I've created two SELinux users: {user_a role_a type_a} and {user_b role_b type_b}, and both type_a and type_b have the ubac_constrained_type attribute set. My understanding of UBAC led me to believe that user_a would not have access to a file of type type_b. Similarly, user_b would not have access to a file of type type_a. However, these accesses are allowed. What else do I need to do to get this to work. Thanks.
-jeff
On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker jeff.c.becker@gmail.com wrote:
Some progress...
On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker jeff.c.becker@gmail.com wrote:
Hi.
On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl mgrepl@redhat.com wrote:
On 11/09/2016 08:54 PM, Jeff Becker wrote:
Hi. I successfully compiled and loaded the following policy file on RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in
the
attributes. How do I enable UBAC? Thanks.
Hi Jeff, we don't build Fedora/RHEL distribution policy with UBAC support.
I suspected that.
You would need to rebuild the policy from srpms to enable it
I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from http://kojipkgs.fedoraproject.org. I figured this was close to what I have installed (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in build.conf, and built and installed the policy. When I rebooted, I could see that ubac_constrained_type attribute was present on several types (including my new ones that I recompiled and loaded). However, it's not working the way I thought it should. If I log in with SELinux user A and I try to access a file from SELinux user B (both types have ubac_constrained_type attribute set), I thought access would be denied, but it's not, and nothing shows up in the audit log. Am I misunderstanding or missing something? Thanks.
-jeff
What is your intention with UBAC?
My use case is that I'd like to have several file types with associated SELinux users/roles, such that SELinux users of a certain type cannot access files associated with another user's type, regardless of what application is used for the access, e.g., my foo_u user below would not be able to access files of type bar_t (associated with SELinux user bar_u). I need this to be under mandatory access control, so it seems that multi category security (MCS) labels would not work, as they are discretionary. Is there another way, e.g., role based access control (RBAC) that could be used? Thanks.
-jeff
-jeff
policy_module(foo, 1.0.0)
######################################## # # Declarations # userdom_unpriv_user_template(foo)
######################################## # # foo local policy #
domain_use_interactive_fds(foo_t)
files_read_etc_files(foo_t)
miscfiles_read_localization(foo_t)
ubac_constrained(foo_t)
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
On 11/22/2016 02:08 AM, Jeff Becker wrote:
I finally got to see this work by turning SELinux enforcement to ON instead of permissive. The reason I wasn't seeing access denials in the audit log is because they were blocked by dontaudit rules in userdom_unpriv_user_template. It would be nice if I could simply turn off some of these dontaudit rules. (I know I can turn them all off with semodule -DB)
Great news ;-)
I apologize that I was not responding. I was on vacation. So if you have another questions I am ready to help you.
Thank you.
-jeff
On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker <jeff.c.becker@gmail.com mailto:jeff.c.becker@gmail.com> wrote:
Hi. I'm wondering if anyone has any input on this. After building the Fedora SELinux policy with UBAC support (and rebooting), I've created two SELinux users: {user_a role_a type_a} and {user_b role_b type_b}, and both type_a and type_b have the ubac_constrained_type attribute set. My understanding of UBAC led me to believe that user_a would not have access to a file of type type_b. Similarly, user_b would not have access to a file of type type_a. However, these accesses are allowed. What else do I need to do to get this to work. Thanks. -jeff On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker <jeff.c.becker@gmail.com <mailto:jeff.c.becker@gmail.com>> wrote: Some progress... On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker <jeff.c.becker@gmail.com <mailto:jeff.c.becker@gmail.com>> wrote: Hi. On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl <mgrepl@redhat.com <mailto:mgrepl@redhat.com>> wrote: On 11/09/2016 08:54 PM, Jeff Becker wrote: > Hi. I successfully compiled and loaded the following policy file on > RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I > run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in the > attributes. How do I enable UBAC? Thanks. Hi Jeff, we don't build Fedora/RHEL distribution policy with UBAC support. I suspected that. You would need to rebuild the policy from srpms to enable it I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from http://kojipkgs.fedoraproject.org <http://kojipkgs.fedoraproject.org>. I figured this was close to what I have installed (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in build.conf, and built and installed the policy. When I rebooted, I could see that ubac_constrained_type attribute was present on several types (including my new ones that I recompiled and loaded). However, it's not working the way I thought it should. If I log in with SELinux user A and I try to access a file from SELinux user B (both types have ubac_constrained_type attribute set), I thought access would be denied, but it's not, and nothing shows up in the audit log. Am I misunderstanding or missing something? Thanks. -jeff What is your intention with UBAC? My use case is that I'd like to have several file types with associated SELinux users/roles, such that SELinux users of a certain type cannot access files associated with another user's type, regardless of what application is used for the access, e.g., my foo_u user below would not be able to access files of type bar_t (associated with SELinux user bar_u). I need this to be under mandatory access control, so it seems that multi category security (MCS) labels would not work, as they are discretionary. Is there another way, e.g., role based access control (RBAC) that could be used? Thanks. -jeff > > -jeff > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > policy_module(foo, 1.0.0) > > ######################################## > # > # Declarations > # > userdom_unpriv_user_template(foo) > > ######################################## > # > # foo local policy > # > > domain_use_interactive_fds(foo_t) > > files_read_etc_files(foo_t) > > miscfiles_read_localization(foo_t) > > ubac_constrained(foo_t) > > > > _______________________________________________ > selinux mailing list -- selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> > To unsubscribe send an email to selinux-leave@lists.fedoraproject.org <mailto:selinux-leave@lists.fedoraproject.org> > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi,
On Tue, Nov 29, 2016 at 1:35 AM, Miroslav Grepl mgrepl@redhat.com wrote:
On 11/22/2016 02:08 AM, Jeff Becker wrote:
I finally got to see this work by turning SELinux enforcement to ON instead of permissive. The reason I wasn't seeing access denials in the audit log is because they were blocked by dontaudit rules in userdom_unpriv_user_template. It would be nice if I could simply turn off some of these dontaudit rules. (I know I can turn them all off with semodule -DB)
Great news ;-)
I apologize that I was not responding. I was on vacation. So if you have another questions I am ready to help you.
Thank you.
I do have another question. I didn't realize that setting UBAC=y in the targeted policy make user_home_dir_t ubac_constrained. That means user A may not access user B's files no matter what type they are. What I'd like is some hybrid where User A's files that are tagged "don't share" can't be seen by other users, but all of User A's other files can be seen if they have the appropriate DAC ACL's.
I was thinking of using audit2allow to create a policy mod that allowed access to user_home_dir_t, but if there's a better way, I'd like to hear about it. Thanks.
-jeff
-jeff
On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker <jeff.c.becker@gmail.com mailto:jeff.c.becker@gmail.com> wrote:
Hi. I'm wondering if anyone has any input on this. After building the Fedora SELinux policy with UBAC support (and rebooting), I've created two SELinux users: {user_a role_a type_a} and {user_b role_b type_b}, and both type_a and type_b have the ubac_constrained_type attribute set. My understanding of UBAC led me to believe that user_a would not have access to a file of type type_b. Similarly, user_b would not have access to a file of type type_a. However, these accesses are allowed. What else do I need to do to get this to work. Thanks. -jeff On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker <jeff.c.becker@gmail.com <mailto:jeff.c.becker@gmail.com>> wrote: Some progress... On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker <jeff.c.becker@gmail.com <mailto:jeff.c.becker@gmail.com>>
wrote:
Hi. On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl <mgrepl@redhat.com <mailto:mgrepl@redhat.com>> wrote: On 11/09/2016 08:54 PM, Jeff Becker wrote: > Hi. I successfully compiled and loaded the following policy file on > RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I > run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in the > attributes. How do I enable UBAC? Thanks. Hi Jeff, we don't build Fedora/RHEL distribution policy with UBAC support. I suspected that. You would need to rebuild the policy from srpms to enable it I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from http://kojipkgs.fedoraproject.org <http://kojipkgs.fedoraproject.org>. I figured this was close to what I have installed (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in build.conf, and built and installed the policy. When I rebooted, I could see that ubac_constrained_type attribute was present on several types (including my new ones that I recompiled and loaded). However, it's not working the way I thought it should. If I log in with SELinux user A and I try to access a file from SELinux user B (both types have ubac_constrained_type attribute set), I thought access would be denied, but it's not, and nothing shows up in the audit log. Am I misunderstanding or missing something? Thanks. -jeff What is your intention with UBAC? My use case is that I'd like to have several file types with associated SELinux users/roles, such that SELinux users of a certain type cannot access files associated with another user's type, regardless of what application is used for the access, e.g., my foo_u user below would not be able to access files of type bar_t (associated with SELinux user bar_u). I need this to be under mandatory access control, so it seems that multi category security (MCS) labels would not work, as they are discretionary. Is there another way, e.g., role based access control (RBAC) that could be used? Thanks. -jeff > > -jeff > > ------------------------------
> > policy_module(foo, 1.0.0) > > ######################################## > # > # Declarations > # > userdom_unpriv_user_template(foo) > > ######################################## > # > # foo local policy > # > > domain_use_interactive_fds(foo_t) > > files_read_etc_files(foo_t) > > miscfiles_read_localization(foo_t) > > ubac_constrained(foo_t) > > > > _______________________________________________ > selinux mailing list -- selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> > To unsubscribe send an email to selinux-leave@lists.fedoraproject.org <mailto:selinux-leave@lists.fedoraproject.org> > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
Hi Jeff,
Have you considered using categories? Assigning a category per-user or user group might give you the control you need.
Cheers
Phil
From: Jeff Becker jeff.c.becker@gmail.com To: Miroslav Grepl mgrepl@redhat.com Cc: selinux@lists.fedoraproject.org Date: 30/11/2016 06:28 Subject: Re: user based access control
Hi,
On Tue, Nov 29, 2016 at 1:35 AM, Miroslav Grepl mgrepl@redhat.com wrote: On 11/22/2016 02:08 AM, Jeff Becker wrote:
I finally got to see this work by turning SELinux enforcement to ON instead of permissive. The reason I wasn't seeing access denials in the audit log is because they were blocked by dontaudit rules in userdom_unpriv_user_template. It would be nice if I could simply turn off some of these dontaudit rules. (I know I can turn them all off with semodule -DB)
Great news ;-)
I apologize that I was not responding. I was on vacation. So if you have another questions I am ready to help you.
Thank you.
I do have another question. I didn't realize that setting UBAC=y in the targeted policy make user_home_dir_t ubac_constrained. That means user A may not access user B's files no matter what type they are. What I'd like is some hybrid where User A's files that are tagged "don't share" can't be seen by other users, but all of User A's other files can be seen if they have the appropriate DAC ACL's.
I was thinking of using audit2allow to create a policy mod that allowed access to user_home_dir_t, but if there's a better way, I'd like to hear about it. Thanks.
-jeff
-jeff
On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker <jeff.c.becker@gmail.com mailto:jeff.c.becker@gmail.com> wrote:
Hi. I'm wondering if anyone has any input on this. After building the Fedora SELinux policy with UBAC support (and rebooting), I've created two SELinux users: {user_a role_a type_a} and {user_b
role_b
type_b}, and both type_a and type_b have the ubac_constrained_type attribute set. My understanding of UBAC led me to believe that user_a would not have access to a file of type type_b. Similarly, user_b would not have access to a file of type type_a. However, these accesses are allowed. What else do I need to do to get this
to
work. Thanks.
-jeff
On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker <jeff.c.becker@gmail.com mailto:jeff.c.becker@gmail.com> wrote:
Some progress...
On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker <jeff.c.becker@gmail.com mailto:jeff.c.becker@gmail.com>
wrote:
Hi.
On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl <mgrepl@redhat.com mailto:mgrepl@redhat.com> wrote:
On 11/09/2016 08:54 PM, Jeff Becker wrote: > Hi. I successfully compiled and loaded the following policy file on > RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I > run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in the > attributes. How do I enable UBAC? Thanks.
Hi Jeff, we don't build Fedora/RHEL distribution policy with
UBAC
support.
I suspected that.
You would need to rebuild the policy from srpms to enable
it
I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from http://kojipkgs.fedoraproject.org http://kojipkgs.fedoraproject.org. I figured this was close
to
what I have installed (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in build.conf, and built and installed the policy. When I
rebooted,
I could see that ubac_constrained_type attribute was present on several types (including my new ones that I recompiled and loaded). However, it's not working the way I thought it should. If I log in with SELinux user A and I try to access a file from SELinux user B (both types have ubac_constrained_type attribute set), I thought access would be denied, but it's not, and nothing shows up in the audit log. Am I misunderstanding or missing something? Thanks.
-jeff
What is your intention with UBAC?
My use case is that I'd like to have several file types
with
associated SELinux users/roles, such that SELinux users of
a
certain type cannot access files associated with another user's type, regardless of what application is used for the access, e.g., my foo_u user below would not be able to access files of type bar_t (associated with SELinux user bar_u). I need this to be under mandatory access control,
so
it seems that multi category security (MCS) labels would
not
work, as they are discretionary. Is there another way,
e.g.,
role based access control (RBAC) that could be used?
Thanks.
-jeff
> > -jeff > >
--------------------------------------------------------------------------------------------------------------------------------------------------------------
> > policy_module(foo, 1.0.0) > > ######################################## > # > # Declarations > # > userdom_unpriv_user_template(foo) > > ######################################## > # > # foo local policy > # > > domain_use_interactive_fds(foo_t) > > files_read_etc_files(foo_t) > > miscfiles_read_localization(foo_t) > > ubac_constrained(foo_t) > > > > _______________________________________________ > selinux mailing list -- selinux@lists.fedoraproject.org mailto:selinux@lists.fedoraproject.org > To unsubscribe send an email to selinux-leave@lists.fedoraproject.org mailto:selinux-leave@lists.fedoraproject.org >
-- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi Philip,
On Tue, Nov 29, 2016 at 2:16 PM, Philip Seeley pseeley@au1.ibm.com wrote:
Hi Jeff,
Have you considered using categories? Assigning a category per-user or user group might give you the control you need.
Actually that was the first thing I considered, but then I found out that they are a discretionary access control mechanism (please correct me if I'm mistaken - this was from "A Brief Introduction to Multi-Category Security (MCS) by James Morris" (2005)). We need mandatory access control.
Thanks.
-jeff
Cheers
Phil
[image: Inactive hide details for Jeff Becker ---30/11/2016 06:28:48---Hi, On Tue, Nov 29, 2016 at 1:35 AM, Miroslav Grepl <mgrepl@redh]Jeff Becker ---30/11/2016 06:28:48---Hi, On Tue, Nov 29, 2016 at 1:35 AM, Miroslav Grepl mgrepl@redhat.com wrote:
From: Jeff Becker jeff.c.becker@gmail.com To: Miroslav Grepl mgrepl@redhat.com Cc: selinux@lists.fedoraproject.org Date: 30/11/2016 06:28 Subject: Re: user based access control
Hi,
On Tue, Nov 29, 2016 at 1:35 AM, Miroslav Grepl <*mgrepl@redhat.com* mgrepl@redhat.com> wrote:
On 11/22/2016 02:08 AM, Jeff Becker wrote:
I finally got to see this work by turning SELinux enforcement to ON instead of permissive. The reason I wasn't seeing access denials in
the
audit log is because they were blocked by dontaudit rules in userdom_unpriv_user_template. It would be nice if I could simply turn off some of these dontaudit rules. (I know I can turn them all off
with
semodule -DB)
Great news ;-)
I apologize that I was not responding. I was on vacation. So if you have another questions I am ready to help you.
Thank you.
I do have another question. I didn't realize that setting UBAC=y in the targeted policy make user_home_dir_t ubac_constrained. That means user A may not access user B's files no matter what type they are. What I'd like is some hybrid where User A's files that are tagged "don't share" can't be seen by other users, but all of User A's other files can be seen if they have the appropriate DAC ACL's.
I was thinking of using audit2allow to create a policy mod that allowed access to user_home_dir_t, but if there's a better way, I'd like to hear about it. Thanks.
-jeff
-jeff
On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker <
*jeff.c.becker@gmail.com* jeff.c.becker@gmail.com
<mailto:*jeff.c.becker@gmail.com* jeff.c.becker@gmail.com>> wrote:
Hi. I'm wondering if anyone has any input on this. After building the Fedora SELinux policy with UBAC support (and rebooting),
I've
created two SELinux users: {user_a role_a type_a} and {user_b
role_b
type_b}, and both type_a and type_b have the
ubac_constrained_type
attribute set. My understanding of UBAC led me to believe that user_a would not have access to a file of type type_b. Similarly, user_b would not have access to a file of type type_a. However, these accesses are allowed. What else do I need to do to get
this to
work. Thanks. -jeff On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker <*jeff.c.becker@gmail.com* <jeff.c.becker@gmail.com> <mailto:
*jeff.c.becker@gmail.com* jeff.c.becker@gmail.com>> wrote:
Some progress... On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker <*jeff.c.becker@gmail.com* <jeff.c.becker@gmail.com> <mailto:
*jeff.c.becker@gmail.com* jeff.c.becker@gmail.com>> wrote:
Hi. On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl <*mgrepl@redhat.com* <mgrepl@redhat.com> <mailto:
*mgrepl@redhat.com* mgrepl@redhat.com>> wrote:
On 11/09/2016 08:54 PM, Jeff Becker wrote: > Hi. I successfully compiled and loaded the
following
policy file on > RHEL7 with the latest (as of yesterday) SELinux
rpms.
However, when I > run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in the > attributes. How do I enable UBAC? Thanks. Hi Jeff, we don't build Fedora/RHEL distribution policy with
UBAC
support. I suspected that. You would need to rebuild the policy from srpms to
enable it
I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from *http://kojipkgs.fedoraproject.org*
http://kojipkgs.fedoraproject.org/
<*http://kojipkgs.fedoraproject.org*
http://kojipkgs.fedoraproject.org/>. I figured this was close to
what I have installed (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in build.conf, and built and installed the policy. When I
rebooted,
I could see that ubac_constrained_type attribute was present
on
several types (including my new ones that I recompiled and loaded). However, it's not working the way I thought it
should.
If I log in with SELinux user A and I try to access a file
from
SELinux user B (both types have ubac_constrained_type
attribute
set), I thought access would be denied, but it's not, and nothing shows up in the audit log. Am I misunderstanding or missing something? Thanks. -jeff What is your intention with UBAC? My use case is that I'd like to have several file types
with
associated SELinux users/roles, such that SELinux users
of a
certain type cannot access files associated with another user's type, regardless of what application is used for
the
access, e.g., my foo_u user below would not be able to access files of type bar_t (associated with SELinux user bar_u). I need this to be under mandatory access
control, so
it seems that multi category security (MCS) labels would
not
work, as they are discretionary. Is there another way,
e.g.,
role based access control (RBAC) that could be used?
Thanks.
-jeff > > -jeff > > -----------------------------
> > policy_module(foo, 1.0.0) > > ######################################## > # > # Declarations > # > userdom_unpriv_user_template(foo) > > ######################################## > # > # foo local policy > # > > domain_use_interactive_fds(foo_t) > > files_read_etc_files(foo_t) > > miscfiles_read_localization(foo_t) > > ubac_constrained(foo_t) > > > > _______________________________________________ > selinux mailing list -- *selinux@lists.fedoraproject.org*
selinux@lists.fedoraproject.org
<mailto:*selinux@lists.fedoraproject.org*
selinux@lists.fedoraproject.org>
> To unsubscribe send an email to *selinux-leave@lists.fedoraproject.org*
selinux-leave@lists.fedoraproject.org
<mailto:*selinux-leave@lists.fedoraproject.org*
selinux-leave@lists.fedoraproject.org>
> -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
selinux mailing list -- *selinux@lists.fedoraproject.org*
selinux@lists.fedoraproject.org
To unsubscribe send an email to
*selinux-leave@lists.fedoraproject.org* selinux-leave@lists.fedoraproject.org
-- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
I have another question. As you know I built the targeted policy with UBAC=y. Now I'm trying to make it so that user_home_dir_t and user_home_t are exempt from ubac, as I really only want to use it for specially tagged files. I compiled and loaded the following module, but it still prevents access to files of type user_home_t. Any suggestions? Thanks.
-jeff
======================================================================== policy_module(myubac, 1.0.0)
require { type user_home_t; type user_home_dir_t; }; ubac_file_exempt(user_home_t) ubac_file_exempt(user_home_dir_t)
On Tue, Nov 29, 2016 at 1:35 AM, Miroslav Grepl mgrepl@redhat.com wrote:
On 11/22/2016 02:08 AM, Jeff Becker wrote:
I finally got to see this work by turning SELinux enforcement to ON instead of permissive. The reason I wasn't seeing access denials in the audit log is because they were blocked by dontaudit rules in userdom_unpriv_user_template. It would be nice if I could simply turn off some of these dontaudit rules. (I know I can turn them all off with semodule -DB)
Great news ;-)
I apologize that I was not responding. I was on vacation. So if you have another questions I am ready to help you.
Thank you.
-jeff
On Mon, Nov 14, 2016 at 12:45 PM, Jeff Becker <jeff.c.becker@gmail.com mailto:jeff.c.becker@gmail.com> wrote:
Hi. I'm wondering if anyone has any input on this. After building the Fedora SELinux policy with UBAC support (and rebooting), I've created two SELinux users: {user_a role_a type_a} and {user_b role_b type_b}, and both type_a and type_b have the ubac_constrained_type attribute set. My understanding of UBAC led me to believe that user_a would not have access to a file of type type_b. Similarly, user_b would not have access to a file of type type_a. However, these accesses are allowed. What else do I need to do to get this to work. Thanks. -jeff On Fri, Nov 11, 2016 at 4:29 PM, Jeff Becker <jeff.c.becker@gmail.com <mailto:jeff.c.becker@gmail.com>> wrote: Some progress... On Thu, Nov 10, 2016 at 8:48 AM, Jeff Becker <jeff.c.becker@gmail.com <mailto:jeff.c.becker@gmail.com>>
wrote:
Hi. On Thu, Nov 10, 2016 at 5:25 AM, Miroslav Grepl <mgrepl@redhat.com <mailto:mgrepl@redhat.com>> wrote: On 11/09/2016 08:54 PM, Jeff Becker wrote: > Hi. I successfully compiled and loaded the following policy file on > RHEL7 with the latest (as of yesterday) SELinux rpms. However, when I > run "seinfo -tfoo_t -x", I don't see ubac_constrained_type listed in the > attributes. How do I enable UBAC? Thanks. Hi Jeff, we don't build Fedora/RHEL distribution policy with UBAC support. I suspected that. You would need to rebuild the policy from srpms to enable it I grabbed selinux-policy-3.13.1-103.fc22.src.rpm from http://kojipkgs.fedoraproject.org <http://kojipkgs.fedoraproject.org>. I figured this was close to what I have installed (selinux-policy-3.13.1-102.el7_3.4.noarch). I enabled UBAC in build.conf, and built and installed the policy. When I rebooted, I could see that ubac_constrained_type attribute was present on several types (including my new ones that I recompiled and loaded). However, it's not working the way I thought it should. If I log in with SELinux user A and I try to access a file from SELinux user B (both types have ubac_constrained_type attribute set), I thought access would be denied, but it's not, and nothing shows up in the audit log. Am I misunderstanding or missing something? Thanks. -jeff What is your intention with UBAC? My use case is that I'd like to have several file types with associated SELinux users/roles, such that SELinux users of a certain type cannot access files associated with another user's type, regardless of what application is used for the access, e.g., my foo_u user below would not be able to access files of type bar_t (associated with SELinux user bar_u). I need this to be under mandatory access control, so it seems that multi category security (MCS) labels would not work, as they are discretionary. Is there another way, e.g., role based access control (RBAC) that could be used? Thanks. -jeff > > -jeff > > ------------------------------
> > policy_module(foo, 1.0.0) > > ######################################## > # > # Declarations > # > userdom_unpriv_user_template(foo) > > ######################################## > # > # foo local policy > # > > domain_use_interactive_fds(foo_t) > > files_read_etc_files(foo_t) > > miscfiles_read_localization(foo_t) > > ubac_constrained(foo_t) > > > > _______________________________________________ > selinux mailing list -- selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> > To unsubscribe send an email to selinux-leave@lists.fedoraproject.org <mailto:selinux-leave@lists.fedoraproject.org> > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
selinux@lists.fedoraproject.org