using selinux to control user access to files
Hein Coulier
hein.coulier at infoco.be
Mon May 9 11:29:43 UTC 2005
thx for the feedback Stephen, but i'm still unable to succeed,
i'm also getting some strange errors, so perhaps my installed policy isn't a
good one to start with :
# rpm -qa selinux-policy-targeted-sources
selinux-policy-targeted-sources-1.17.30-2.52.1
# rpm -qa|grep -i release
redhat-release-4AS-2
What i added to the policy :
############################################################################
###########
# /etc/selinux/targeted/src/policy/file_contexts/program/mytest.fc
############################################################################
###########
/var/hecou/fileA user_u:object_r:typeA_t
/var/hecou/fileB user_u:object_r:typeB_t
/var/hecou/fileC user_u:object_r:typeC_t
############################################################################
###########
# /etc/selinux/targeted/src/policy/domains/program/mytest.te
############################################################################
###########
# define filetypes
type typeA_t, file_type;
type typeB_t, file_type;
type typeC_t, file_type;
# define domains
type domainA_t, domain, file_type;
type domainB_t, domain, file_type;
type domainC_t, domain, file_type;
allow domainA_t typeA_t:file r_file_perms;
auditallow domainB_t typeB_t:file r_file_perms;
auditallow domainC_t typeC_t:file rw_file_perms;
# junk to tackle make-errors
bool read_default_t true;
bool user_rw_usb false;
bool user_rw_noexattrfile false;
bool user_direct_mouse false;
bool user_tcp_server false;
bool user_dmesg false;
type roleA_crond_t, domain, file_type, sysadmfile;
type roleB_crond_t, domain, file_type, sysadmfile;
# create roles
full_user_role(roleA);
full_user_role(roleB);
role roleA_r types {domainA_t unconfined_t};
role roleB_r types {domainA_t domainB_t domainC_t unconfined_t};
############################################################################
###########
# /etc/selinux/targeted/src/policy/users
############################################################################
###########
user userA roles roleA_r;
user userB roles roleB_r;
remember, my goal was :
fileA : may be read by roleA and roleB
fileB : may only be read by roleB ; audited
fileC : may be read and changed by roleB ; audited
and i executed the following actions :
DIR="/var/hecou"
mkdir ${DIR} ; chmod 777 ${DIR}
>${DIR}/fileA ; >${DIR}/fileB ; >${DIR}/fileC ; chmod 666 ${DIR}/*
useradd userA -m
useradd userB -m
the results :
- i had to add the 'junk' part to make it 'compile'. It seems to me that
the tests on the booleans would be better 'ifdef (user_rw_usb)' instead of
'if (user_rw_usb)', but maybe totaly not getting the picture. I also had to
define the roleA_crond_t and roleB_crond_t.
- if i test the policy with sepcut, i get a bunch of errors of the form :
assertion on line 28135 violated by allow unconfined_t domainA_t:process {
fork sigchld sigkill sigstop signull signal ptrace getsched setsched
getsession getpgid setpgid getcap setcap share getattr setexec setfscreate
noatsecure siginh setrlimit rlimitinh };
- setfiles /etc/selinux/targeted/src/policy/file_contexts/program/mytest.fc
/var/hecou
returns :
setfiles: read 3 specifications
setfiles: invalid context user_u:object_r:typeA_t on line number 4
setfiles: invalid context user_u:object_r:typeB_t on line number 5
setfiles: invalid context user_u:object_r:typeC_t on line number 6
i also have a silly question, in a security context (eg
user_u:object_r:typeA_t), what is the mening of user_u ?
hein
----- Original Message -----
From: "Stephen Smalley" <sds at tycho.nsa.gov>
To: "Daniel J Walsh" <dwalsh at redhat.com>
Cc: "Hein Coulier" <hein.coulier>; <fedora-selinux-list at redhat.com>
Sent: Friday, May 06, 2005 3:17 PM
Subject: Re: using selinux to control user access to files
>
> For specific data files, it should be relatively straightforward; he
> just needs to instantiate the roles via full_user_role(), define a few
> new file types for the particular data he wants to restrict, and add
> specific allow rules and auditallow rules between the new user domains
> and the new file types. I agree that a higher level language or tool
> would make life simpler, but the mechanism is certainly capable of
> supporting the need.
>
> --
> Stephen Smalley <sds at tycho.nsa.gov>
> National Security Agency
>
>
More information about the fedora-selinux-list
mailing list