Hello,
I have trouble understanding how MCS labels work, they are not being enforced on my RHEL7 system even though selinux is "enforcing" and the policy used is "targeted". I don't think I should be able to access those files:
backup@test ~ $ ls -lZ /tmp/accounts-users /tmp/accounts-admin -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c3 /tmp/accounts-admin -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c99 /tmp/accounts-users backup@test ~ $ id uid=1000(backup) gid=1000(backup) groups=1000(backup) context=guest_u:guest_r:guest_t:s0:c1
root@test ~ # getenforce Enforcing
I can still access them even though they have different labels (c3 and c99 as opposed to my user having c1). backup@test ~ $ cat /tmp/accounts-users domenico balance: -30 backup@test ~ $ cat /tmp/accounts-admin don't lend money to domenico
Am I missing something?
More info: # semanage user -l SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0-s0:c0.c10 guest_r
# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ user_u s0 * backup guest_u s0:c1 *
Regards, Mario R
On 09/16/2015 04:36 PM, Mario Rosic wrote:
Hello,
I have trouble understanding how MCS labels work, they are not being enforced on my RHEL7 system even though selinux is "enforcing" and the policy used is "targeted". I don't think I should be able to access those files:
backup@test ~ $ ls -lZ /tmp/accounts-users /tmp/accounts-admin -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c3 /tmp/accounts-admin -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c99 /tmp/accounts-users backup@test ~ $ id uid=1000(backup) gid=1000(backup) groups=1000(backup) context=guest_u:guest_r:guest_t:s0:c1
root@test ~ # getenforce Enforcing
I can still access them even though they have different labels (c3 and c99 as opposed to my user having c1). backup@test ~ $ cat /tmp/accounts-users domenico balance: -30 backup@test ~ $ cat /tmp/accounts-admin don't lend money to domenico
Am I missing something?
More info: # semanage user -l SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0-s0:c0.c10 guest_r
# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ user_u s0 * backup guest_u s0:c1 *
Regards, Mario R -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
That's correct. Only some types are MCS aware in targeted policy by default.
See
$ seinfo -xamcs_constrained_type
So in your case if you create a local policy like
$ cat mymcs.te policy_module(mymcs,1.0)
require{ type guest_t; }
mcs_constrained(guest_t)
then you will get expected behaviour.
They are only confined on certain domains.
seinfo -amcs_constrained_type -x mcs_constrained_type netlabel_peer_t docker_apache_t openshift_t openshift_app_t sandbox_min_t sandbox_x_t sandbox_web_t sandbox_net_t svirt_t svirt_tcg_t svirt_lxc_net_t svirt_qemu_net_t svirt_kvm_net_t
If you add this attribute to a type it will start enforcing it.
Adding a policy like this will confine guest_t
policy_module(mymcs, 1.0) gen_requite(` type guest_t ')
typeattribute guest_t mcs_constrained_type;
On 09/16/2015 10:36 AM, Mario Rosic wrote:
Hello,
I have trouble understanding how MCS labels work, they are not being enforced on my RHEL7 system even though selinux is "enforcing" and the policy used is "targeted". I don't think I should be able to access those files:
backup@test ~ $ ls -lZ /tmp/accounts-users /tmp/accounts-admin -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c3 /tmp/accounts-admin -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c99 /tmp/accounts-users backup@test ~ $ id uid=1000(backup) gid=1000(backup) groups=1000(backup) context=guest_u:guest_r:guest_t:s0:c1
root@test ~ # getenforce Enforcing
I can still access them even though they have different labels (c3 and c99 as opposed to my user having c1). backup@test ~ $ cat /tmp/accounts-users domenico balance: -30 backup@test ~ $ cat /tmp/accounts-admin don't lend money to domenico
Am I missing something?
More info: # semanage user -l SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0-s0:c0.c10 guest_r
# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ user_u s0 * backup guest_u s0:c1 *
Regards, Mario R -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I wrote a more detailed blog on this.
http://danwalsh.livejournal.com/73416.html
On 09/16/2015 04:55 PM, Daniel J Walsh wrote:
They are only confined on certain domains.
seinfo -amcs_constrained_type -x mcs_constrained_type netlabel_peer_t docker_apache_t openshift_t openshift_app_t sandbox_min_t sandbox_x_t sandbox_web_t sandbox_net_t svirt_t svirt_tcg_t svirt_lxc_net_t svirt_qemu_net_t svirt_kvm_net_t
If you add this attribute to a type it will start enforcing it.
Adding a policy like this will confine guest_t
policy_module(mymcs, 1.0) gen_requite(` type guest_t ')
typeattribute guest_t mcs_constrained_type;
Thank you very much @Daniel Walsh & Miroslav Grepl!
It would be very nice if we had this information in the official RHEL7 documentation. I think I studied it thoroughly and still I lost a lot of time because I expected MCS to work out of the box for SELinux Users that I create.
Am 2015-09-16 um 23:33 schrieb Daniel J Walsh:
I wrote a more detailed blog on this.
http://danwalsh.livejournal.com/73416.html
On 09/16/2015 04:55 PM, Daniel J Walsh wrote:
They are only confined on certain domains.
seinfo -amcs_constrained_type -x mcs_constrained_type netlabel_peer_t docker_apache_t openshift_t openshift_app_t sandbox_min_t sandbox_x_t sandbox_web_t sandbox_net_t svirt_t svirt_tcg_t svirt_lxc_net_t svirt_qemu_net_t svirt_kvm_net_t
If you add this attribute to a type it will start enforcing it.
Adding a policy like this will confine guest_t
policy_module(mymcs, 1.0) gen_requite(` type guest_t ')
typeattribute guest_t mcs_constrained_type;
On 09/17/2015 10:56 AM, Mario Rosic wrote:
Thank you very much @Daniel Walsh & Miroslav Grepl!
It would be very nice if we had this information in the official RHEL7 documentation. I think I studied it thoroughly and still I lost a lot of time because I expected MCS to work out of the box for SELinux Users that I create.
That's a good point. You can open a new bug with this request, if possible.
Thank you.
Am 2015-09-16 um 23:33 schrieb Daniel J Walsh:
I wrote a more detailed blog on this.
http://danwalsh.livejournal.com/73416.html
On 09/16/2015 04:55 PM, Daniel J Walsh wrote:
They are only confined on certain domains.
seinfo -amcs_constrained_type -x mcs_constrained_type netlabel_peer_t docker_apache_t openshift_t openshift_app_t sandbox_min_t sandbox_x_t sandbox_web_t sandbox_net_t svirt_t svirt_tcg_t svirt_lxc_net_t svirt_qemu_net_t svirt_kvm_net_t
If you add this attribute to a type it will start enforcing it.
Adding a policy like this will confine guest_t
policy_module(mymcs, 1.0) gen_requite(` type guest_t ')
typeattribute guest_t mcs_constrained_type;
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org