Using dyntransition to reduce privileges for Web application
sgifford at suspectclass.com
Sun Feb 20 20:47:01 UTC 2011
On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift <domg472 at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 02/20/2011 05:59 PM, Dominick Grift wrote:
> > On 02/20/2011 06:31 AM, Scott Gifford wrote:
[ ... ]
> >> OK, so I have started experimenting with this, but /proc is not behaving
> >> I expect so far.
> >> So I open up two shells. In the first I run:
> >> runcon -l s0-s0:c0,c1 bash
> >> and in the second:
> >> runcon -l s0-s0:c0,c2 bash
> >> So both should have access to c1, but only the first will have access to
> >> and only the second will have access to c2.
Above I meant to say "both should have access to c0".
[ ... ]
> >> shell1$ *id -Z*
> >> user_u:system_r:unconfined_t:-s0:c0,c1
> >> shell1$ *ls -lZ /proc/10961/maps*
> >> -r--r--r-- sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2
> >> /proc/10961/maps
> >> shell1$ *head -1 /proc/10961/maps*
> >> 002ac000-002ad000 r-xp 002ac000 00:00 0 [vdso]
> > from /policy/mcs:
> > # Note:
> > # - getattr on dirs/files is not constrained.
> > # - /proc/pid operations are not constrained.
> > so that explains the above
Ah, yes it does, thanks! I wonder if I can adjust this policy to get
different behavior, or if it's hardcoded somewhere outside the policy?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the selinux