Linux – SELinux: Can I disable copying of certain files

administrationfile-copypermissionsselinux

Please excuse me if this is too basic and you're tempted to throw an RTFM at me.
I want to prevent users from copying certain files while granting them read access to the same files. I thought this was impossible until I came across this example in the SELinux Wiki:

 allow firefox_t user_home_t : file { read write };

So I was thinking, is it possible to give the files in question a mode of 0700 for instance, and use SELinux to grant read access only to the application that the users will normally be using to read the files?

Again, I'm sorry if this is too basic, it's just that I'm on a tight schedule and I want to give an answer to my boss one way or the other (if it's possible or not) as soon as possible and I know nothing about SELinux so I'm afraid reading on my own to determine whether it's possible or not would take me too much time. Please note that I'm not averse to reading per se and would hugely appreciate pointers to the relevant documentation if it exists.

So basically, my question is, is there a way to do this in SELinux or am I wasting my time pursuing such an alternative?

P.S. I'm aware that granting read access can allow users who are really intent on copying the files to copy and paste them from within the application they'll read them with; I'm just looking for a first line of defense.

EDIT

To better explain my use case:

The files in question are a mixture of text and binaries.
They need to be read by proprietary commercial software: they are simulation models for an electronics simulation software.
These models are themselves proprietary and we don't want the users simulating with them leaking them out for unauthorized use.
The software only needs to read the models and run a few scripts from these files; it will not write their contents anywhere.
In short, I want only the simulation software to have read and execute access to these files while preventing read access for the users.

Best Answer

I think it's important to note that the cat isn't the problem in my comment above, but shell redirection. Are you trying to restrict copying of binaries or text files? If it's binaries, then I believe you can work something out with rbash (see http://blog.bodhizazen.net/linux/how-to-restrict-access-with-rbash/).

However, if it's text files, I'm not sure how you can prevent someone from just copying from their local terminal.

I'm not sure any general SELinux solution would be helpful here. Does your application that reads files need to write data anywhere? If not and these files only need to be read by your application, you could just give your application's type read-only access to the files of the type you would like it to read and don't give it write anywhere.

I think some more information on the exact permissions required by your use-case might be helpful, sorry for the vague answer.

UPDATE - MORE SPECIFIC ANSWER

I think you can achieve what you want without SELinux, as this is how many things are handled (e.g. normal users changing their password in /etc/shadow via the passwd command):

Make a separate user and/or group for your commercial software (might already be done)
Give the files read-only access by said user and/or group
Make sure normal users do not have access to those files
Make your executable setuid or getgid (depending on whether you used a group or user) e.g. chmod g+s or chmod u+s
When users run the application, they will now have the same permissions that the application user or group has, thereby allowing read access to those specific files within the desired application.

UPDATE2 - MULTIPLE USERS AND GROUPS If you have multiple applications and groups, you can likely achieve the functionality you are looking for with sudo. Many people are aware of its ability to let you run commands a root, but it's usefulness goes far beyond that example. I'm not sure this an ideal setup, but it's one way to do what you're attempting.

You can still make all the application files owned by the application, but then you can make separate groups for each set of files. This is what your /etc/sudoers or a file in /etc/sudoers.d/ could look like:

User_Alias    FILEGROUP1 = user1, user2
User_Alias    FILEGROUP2 = user3, user4
Cmnd_Alias    MYEDITOR = /usr/local/bin/myeditor, /usr/local/bin/mycompiler

FILEGROUP1    ALL=(:fileset1) NOPASSWD: MYEDITOR 
FILEGROUP2    ALL=(:fileset2) NOPASSWD: MYEDITOR

Where user1 and user2 need access to files owned by the group fileset1 and user3 and user4 need access to files owned by the group fileset2. You could also use groups instead of users.

The users could access their files through the editor by doing sudo -g fileset1 /usr/local/bin/myeditor or something similar.

It might help to create some wrapper scripts for the necessary sudo -g commands for your users, especially since it sounds like may be a graphical application.

More details:

http://www.garron.me/linux/visudo-command-sudoers-file-sudo-default-editor.html

https://serverfault.com/questions/166254/change-primary-group-with-sudo-u-g

http://linux.die.net/man/8/sudo

Related Solutions

SSH AuthorizedKeysCommand and SELinux

Mate I'm sure you figured out already but just in case:

you need a tool to troubleshoot selinux yum install setroubleshoot
see if the alert has been logged and after you review create a policy sealert -a /var/log/audit/audit.log

the tool will tell you what to do

[root@zabbix audit]# sealert -a /var/log/audit/audit.log
 49% done'list' object has no attribute 'split'
 100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/python2.7 from name_connect access on the       tcp_socket port 3306.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed name_connect access on the      port 3306 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Permissions Rsync – Setting Ownership When Copying or Syncing Files

Using rsync:

rsync -ai --chown=user1 tmp/ftp/new-assests/ ~user1/tmp/

This would copy the directory to the given location and at the same time change the ownership of the files to user1, if permitted.

The general form of the argument to --chown is USER:GROUP, but you may also use just USER to set a particular user as owner, as above, or just :GROUP to set a particular group (the : is not optional if you leave the user ID out).

Best Answer

Related Solutions

SSH AuthorizedKeysCommand and SELinux

Permissions Rsync – Setting Ownership When Copying or Syncing Files

Related Question