On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift <span dir="ltr"><<a href="mailto:domg472@gmail.com">domg472@gmail.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</div><div><div></div><div class="h5">On 02/20/2011 05:59 PM, Dominick Grift wrote:<br>
> On 02/20/2011 06:31 AM, Scott Gifford wrote:</div></div></blockquote><div> [ ... ] </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div><div class="h5">>> OK, so I have started experimenting with this, but /proc is not behaving how<br>
>> I expect so far.<br>
><br>
>> So I open up two shells. In the first I run:<br>
><br>
>> runcon -l s0-s0:c0,c1 bash<br>
><br>
><br>
>> and in the second:<br>
><br>
>> runcon -l s0-s0:c0,c2 bash<br>
><br>
><br>
>> So both should have access to c1, but only the first will have access to c1<br>
>> and only the second will have access to c2.<br></div></div></blockquote><div><br></div><div>Above I meant to say "both should have access to c0".</div><div>[ ... ] </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div class="h5">>> shell1$ *id -Z*<br>
>> user_u:system_r:unconfined_t:-s0:c0,c1<br>
>> shell1$ *ls -lZ /proc/10961/maps*<br>
>> -r--r--r-- sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2<br>
>> /proc/10961/maps<br>
>> shell1$ *head -1 /proc/10961/maps*<br>
>> 002ac000-002ad000 r-xp 002ac000 00:00 0 [vdso]<br>
><br>
> from /policy/mcs:<br>
><br>
> # Note:<br>
> # - getattr on dirs/files is not constrained.<br>
> # - /proc/pid operations are not constrained.<br>
><br>
> so that explains the above<br></div></div></blockquote><div><br></div><div>Ah, yes it does, thanks! I wonder if I can adjust this policy to get different behavior, or if it's hardcoded somewhere outside the policy?</div>
<div><br></div><div>-------Scott.</div><div><br></div></div>