红帽全球峰会6.10. Allowing MLS users to edit files on lower levels
By default, MLS users cannot write to files which have a sensitivity level below the lower value of the clearance range. If your scenario requires allowing users to edit files on lower levels, you can do so by creating a local SELinux module. However, writing to a file will increase its sensitivity level to the lower value of the user’s current range.
Prerequisites
-
The SELinux policy is set to
mls. -
The SELinux mode is set to
enforcing. -
The
policycoreutils-python-utilspackage is installed. -
The
setools-consoleandauditpackages for verification.
Procedure
Optional: Switch to permissive mode for easier troubleshooting.
# setenforce 0Open a new
.cilfile with a text editor, for example~/local_mlsfilewrite.cil, and insert the following custom rule:(typeattributeset mlsfilewrite (_staff_t_))You can replace
staff_twith a different SELinux type. By specifying SELinux type here, you can control which SELinux roles can edit lower-level files.To keep your local modules better organized, use the
local_prefix in the names of local SELinux policy modules.Install the policy module:
# semodule -i ~/local_mlsfilewrite.cil注意To remove the local policy module, use
semodule -r ~/local_mlsfilewrite. Note that you must refer to the module name without the.cilsuffix.Optional: If you previously switched back to permissive mode, return to enforcing mode:
# setenforce 1
Verification
Find the local module in the list of installed SELinux modules:
# semodule -lfull | grep "local_mls" 400 local_mlsfilewrite cilBecause local modules have priority
400, you can list them also by using thesemodule -lfull | grep -v ^100command.-
Log in as a user assigned to the type defined in the custom rule, for example,
staff_t. Attempt to write to a file with a lower sensitivity level. This increases the file’s classification level to the user’s clearance level.
重要The files you use for verification should not contain any sensitive information in case the configuration is incorrect and the user actually can access the files without authorization.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}