CentOS7 SELinux doesn't seem to adhere to MCS categories (while CentOS6 does)

Support for security such as Firewalls and securing linux
Post Reply
lumip
Posts: 3
Joined: 2018/03/15 17:35:20

CentOS7 SELinux doesn't seem to adhere to MCS categories (while CentOS6 does)

Post by lumip » 2018/03/15 19:29:49

Running CentOS7 64bit with SELinux in enforcing mode in targeted policy, I noticed that a file that is assigned to a certain SELinux MCS (Multi Category Security) category can be read by a user who is not assigned to that category, indicating that MCS isn't working properly.

More specifically, I have users

Code: Select all

Login Name | SELinux User | MLS/MCS Range
john | mcsuser_u | s0-s0:c122
jane | mcsuser_u | s0-s0:c123
with

Code: Select all

mcsuser_u | MLS/MCS Level: s0 | MLS/MCS Range: s0-s0:c0.c1023 | SELinux Roles: user_r
and a file

Code: Select all

-rw-rw-r-- john john mcsuser_u:object_r:user_home_t:s0:c122 johntext

I would expect that user jane is unable to read the file since she is not member of the c122 category. However, running cat johntext as jane prints the contents of the file without problem. This indicates to me that MCS rules are not adhered to.

I tested the same setup on CentOS 6.9, where everything behaves as I would expect (i.e., invoking cat johntext as jane results in a permssion denied error).

Since I was unable to find documentation on a major change in policy/configuration regarding SELinux from version 6.9 to 7, I am somewhat confused by this. Am I making an obvious mistake or is this a bug?

I posted a more verbose version of this question already on serverfault.com, in case a more detailed listing of my steps is required: https://serverfault.com/questions/90157 ... categories

User avatar
TrevorH
Forum Moderator
Posts: 24117
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS7 SELinux doesn't seem to adhere to MCS categories (while CentOS6 does)

Post by TrevorH » 2018/03/15 19:40:54

I don't think there are too many selinux experts that hang out here. You're probably better off using the selinux mailing list as the people that write the policies etc all read that.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

lumip
Posts: 3
Joined: 2018/03/15 17:35:20

Re: CentOS7 SELinux doesn't seem to adhere to MCS categories (while CentOS6 does)

Post by lumip » 2018/03/16 10:32:41

Alright, I will do that, thank you!

[Edit:] Can you maybe point me to the right mailing list for that? I found an SELinux mailing list by NSA [0] which seems to be for development purposes and OS/distribution-unspecific and an Fedora SELinux mailing list [1]. It seems that none of these is a place where I should dump problems with SELinux in CentOS, or should I? Is there also a CentOS SELinux mailing somewhere that I didn't find (I checked google and https://lists.centos.org/mailman/listinfo ). Sorry, I'm not that familiar with mailing list "usage policies" and don't want to annoy the wrong people unduly...

[0]: https://www.nsa.gov/what-we-do/research ... list.shtml
[1]: https://lists.fedoraproject.org/admin/l ... oject.org/

User avatar
TrevorH
Forum Moderator
Posts: 24117
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS7 SELinux doesn't seem to adhere to MCS categories (while CentOS6 does)

Post by TrevorH » 2018/03/16 11:07:41

The Fedora one is the one I always use as the same Redhat people there maintain the RHEL versions.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

lumip
Posts: 3
Joined: 2018/03/15 17:35:20

Re: CentOS7 SELinux doesn't seem to adhere to MCS categories (while CentOS6 does)

Post by lumip » 2018/03/23 23:35:42

Thanks again for the advice. I mailed to the list and summarize the response I got below:

Apparently there was a change in SELinux policies from CentOS6 to CentOS7 such that MCS constraints are not applied to all types anymore. For a given type to adhere to MCS, the mcs_constrained_type attribute has to be added to that type via a custom policy.
More details on how to do that (and which types are MCS constrained by default (and why)) can be found in a blog post by Dan Walsh.

Post Reply