SELinux confined users and MCS benefits

With SELinux technology it’s possible confine not only system process (as it’s by default used in Fedora, CentOS and Red Hat Enterprise Linux) but also linux users. We call this feature SELinux confined users. In RHEL and Fedora distribution SELinux policy we deliver multiple predefined SELinux users:

  • sysadm_u – SELinux user for confined administrators, many allowed actions audited
  • staff_u – SELinux user for standard users who can exec “sudo” command for admin actions
  • user_u – SELinux user for standard users, no “sudo”, x window system allowed
  • guest_u – Restricted SELinux user, no x windows nor networking allowed

SELinux users is powerful feature to mitigate user operations not only in production environment but also on your personal systems. I use SELinux users also on my development machine. To learn more about confined users, please visit the official Red Hat SELinux guide.

MCS or Multi Category Security is part of MLS(Multi Level Security) concept. Using MCS, it’s possible to separate two processes or objects on the system with same SELinux label. In Fedora and RHEL, we use it to separate virtual machines(VMs) and containers between each other or from the host system. This use case is enabled by default and described in the following article.

Let’s look on following example to understand how MCS works. User labeled as staff_t has two categories(c1 and c2) assigned:

$ id -Z 
staff_u:staff_r:staff_t:s0-s0:c1.c2

This means that process or user labeled as staff_t with c1.c2 can access only objects which have:

  • a) no categories – example: user_home_t:s0
  • b) categories of the object are subset of process categories
    • user_home_t:s0:c1
    • user_home_t:s0:c2
    • user_home_t:s0:c1.c2

Of course, there must be existing allow rules defined in the SELinux policy:

$ sesearch -A -s staff_t -t user_home_t -c file
allow staff_t user_home_type:file { append create link relabelfrom relabelto rename setattr unlink write };
...
...

If there is no SELinux allow rule, access is denied regardless of categories.

I prepared a demo repository to demonstrate how easy you can benefit from MCS and SELinux confined users. Please run the demo to follow the whole story behind. In this blog post, I just introduce the main points.

Example1: staff_t:c1 can access only file1 with category c1 but cannot access file with category c3

$ id -Z
staff_u:staff_r:staff_t:s0-s0:c1

$ ll -Z file
-rwxrwxrwx. 1 root root unconfined_u:object_r:usr_t:s0:c1 28 Sep  4 21:08 file1
-rwxrwxrwx. 1 root root unconfined_u:object_r:usr_t:s0:c3 28 Sep  4 21:08 file3

$ cat file1
Data related to category c1

$ cat file3
cat: file3: Permission denied

Example2: staff_t:c1.c3 can access both files with category c1 and category c3

$ id -Z
staff_u:staff_r:staff_t:s0-s0:c1,c3

$ ll -Z
total 8
-rwxrwxrwx. 1 root root unconfined_u:object_r:usr_t:s0:c1 28 Sep  4 21:08 file1
-rwxrwxrwx. 1 root root unconfined_u:object_r:usr_t:s0:c3 28 Sep  4 21:08 file3

$ cat file1
Data related to category c1

$ cat file3
Data related to category c3

This can be achieved easily also on your system using command line tools: semanage login and chcat for more information, please see the demo sources.

Hope it helps with process separation 🙂