On 09/16/2015 04:36 PM, Mario Rosic wrote:
Hello,
I have trouble understanding how MCS labels work, they are not being
enforced on my RHEL7 system even though selinux is "enforcing" and the
policy used is "targeted". I don't think I should be able to access
those files:
backup@test ~ $ ls -lZ /tmp/accounts-users /tmp/accounts-admin
-rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c3
/tmp/accounts-admin
-rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c99
/tmp/accounts-users
backup@test ~ $ id
uid=1000(backup) gid=1000(backup) groups=1000(backup)
context=guest_u:guest_r:guest_t:s0:c1
root@test ~ # getenforce
Enforcing
I can still access them even though they have different labels (c3 and
c99 as opposed to my user having c1).
backup@test ~ $ cat /tmp/accounts-users
domenico balance: -30
backup@test ~ $ cat /tmp/accounts-admin
don't lend money to domenico
Am I missing something?
More info:
# semanage user -l
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0-s0:c0.c10 guest_r
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ user_u s0 *
backup guest_u s0:c1 *
Regards,
Mario R
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
That's correct. Only some types are MCS aware in targeted policy by
default.
See
$ seinfo -xamcs_constrained_type
So in your case if you create a local policy like
$ cat mymcs.te
policy_module(mymcs,1.0)
require{
type guest_t;
}
mcs_constrained(guest_t)
then you will get expected behaviour.
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.