using selinux to control user access to files

Hein Coulier hein.coulier at infoco.be
Mon May 9 11:29:43 UTC 2005 

thx for the feedback Stephen, but i'm still unable to succeed,
i'm also getting some strange errors, so perhaps my installed policy isn't a
good one to start with :
# rpm -qa selinux-policy-targeted-sources

selinux-policy-targeted-sources-1.17.30-2.52.1



# rpm -qa|grep -i release

redhat-release-4AS-2



What i added to the policy :

############################################################################
###########

# /etc/selinux/targeted/src/policy/file_contexts/program/mytest.fc

############################################################################
###########

/var/hecou/fileA               user_u:object_r:typeA_t

/var/hecou/fileB               user_u:object_r:typeB_t

/var/hecou/fileC               user_u:object_r:typeC_t



############################################################################
###########

# /etc/selinux/targeted/src/policy/domains/program/mytest.te

############################################################################
###########

# define filetypes

type typeA_t, file_type;

type typeB_t, file_type;

type typeC_t, file_type;



# define domains

type domainA_t, domain, file_type;

type domainB_t, domain, file_type;

type domainC_t, domain, file_type;

allow       domainA_t     typeA_t:file r_file_perms;

auditallow  domainB_t     typeB_t:file r_file_perms;

auditallow  domainC_t     typeC_t:file rw_file_perms;



# junk to tackle make-errors

bool read_default_t true;

bool user_rw_usb false;

bool user_rw_noexattrfile false;

bool user_direct_mouse false;

bool user_tcp_server false;

bool user_dmesg false;

type roleA_crond_t, domain, file_type, sysadmfile;

type roleB_crond_t, domain, file_type, sysadmfile;



# create roles

full_user_role(roleA);

full_user_role(roleB);

role roleA_r types {domainA_t unconfined_t};

role roleB_r types {domainA_t domainB_t domainC_t unconfined_t};



############################################################################
###########

# /etc/selinux/targeted/src/policy/users

############################################################################
###########

user userA   roles roleA_r;

user userB   roles roleB_r;



remember, my goal was :

fileA : may be read by roleA and roleB
fileB : may only be read by roleB ; audited
fileC : may be read and changed by roleB ; audited



and i executed the following actions :

DIR="/var/hecou"

mkdir ${DIR} ; chmod 777 ${DIR}

>${DIR}/fileA ; >${DIR}/fileB ; >${DIR}/fileC ; chmod 666 ${DIR}/*

useradd userA -m

useradd userB -m





the results :

- i had to add the 'junk' part to make it 'compile'.  It seems to me that
the tests on the booleans would be better 'ifdef (user_rw_usb)' instead of
'if (user_rw_usb)', but maybe totaly not getting the picture.  I also had to
define the roleA_crond_t and roleB_crond_t.

- if i test the policy with sepcut, i get a bunch of errors of the form :

assertion on line 28135 violated by allow unconfined_t domainA_t:process {
fork sigchld sigkill sigstop signull signal ptrace getsched setsched
getsession getpgid setpgid getcap setcap share getattr setexec setfscreate
noatsecure siginh setrlimit rlimitinh };
- setfiles /etc/selinux/targeted/src/policy/file_contexts/program/mytest.fc
/var/hecou
returns :
setfiles:  read 3 specifications
setfiles:  invalid context user_u:object_r:typeA_t on line number 4
setfiles:  invalid context user_u:object_r:typeB_t on line number 5
setfiles:  invalid context user_u:object_r:typeC_t on line number 6

i also have a silly question, in a security context (eg
user_u:object_r:typeA_t), what is the mening of user_u ?

hein

----- Original Message ----- 
From: "Stephen Smalley" <sds at tycho.nsa.gov>
To: "Daniel J Walsh" <dwalsh at redhat.com>
Cc: "Hein Coulier" <hein.coulier>; <fedora-selinux-list at redhat.com>
Sent: Friday, May 06, 2005 3:17 PM
Subject: Re: using selinux to control user access to files
>
> For specific data files, it should be relatively straightforward; he
> just needs to instantiate the roles via full_user_role(), define a few
> new file types for the particular data he wants to restrict, and add
> specific allow rules and auditallow rules between the new user domains
> and the new file types.  I agree that a higher level language or tool
> would make life simpler, but the mechanism is certainly capable of
> supporting the need.
>
> -- 
> Stephen Smalley <sds at tycho.nsa.gov>
> National Security Agency
>
>

More information about the fedora-selinux-list mailing list