Re: Re:Re: question about process power which has MCSx

a process can access a file , they have same MCS. the authority of access the file is its biggest authority or smallest authority?

can anythings else the process have access to, besides the file? thanks

At 2013-04-17 21:15:10,"Dominick Grift" <dominick.grift(a)gmail.com&gt; wrote: >On Wed, 2013-04-17 at 17:49 +0800, bigclouds wrote: >> hi,all >> a qemu-kvm process and its disk(image file) have the same >> MCS(s0:c111,c555). it express this process have access to this image. >> i do not know the power to access its image file is the max or min? >> if any other power this process(domain) has?how much? >> i want to know the exact power a qemu-kvm process has besides access >> its image file ,other kinds of files,dirs etc. > >I do not fully understand your question and the information you provided >does not clarify the issues for me but: > >Here you can find the Fedora MCS rules: > >https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/mcs > >To see what all types have assigned the mcs_contrained_type attribute: > >seinfo -xamcs_constrained_type > >> >> my test case: >> after start a guestVM(its disk xml ,cache='none' error_policy='stop'), >> make some modification on its files and save them. >> then go to hypervisor, modify the MCS of guestVM's image file. >> 1.i can read those files(cache=none)?it s hould not be so. why? >> 2.then modify files and save, the guestVM hang, it is paused on UI. >> this is right qeum process can not write again. why this guestVM is >> hang? and can not be resumed >> 3.look at audit info. denied { write } for pid=52162 comm="qemu-kvm". >> that pid is 52162, is not my qemu-kvm's pid? why? >> >> thanks so much. >> >> >> -- >> selinux mailing list >> selinux(a)lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux > >