That's right, (ignoring mls/mcs attributes), the MCS policy for all restricted classes
is simply: ( h1 dom h2 )
Depending on what distribution you're using, the classes that are restricted varies
(for example, RHEL doesn't yet have network-related restrictions, but Fedora 18 does),
however the file and database classes have been restricted upstream in the SELinux
Reference Policy for quite some time and so should be available.
For a more detailed explanation of policy, see the related MLS article:
http://trustedsubject.wordpress.com/2013/02/11/selinux-reference-policy-p...
Cheers,
Doug
From: Ted Toth <txtoth@gmail.com<mailto:txtoth@gmail.com>>
Date: Wednesday, 24 April 2013 1:09 AM
To: bigclouds <bigclouds@163.com<mailto:bigclouds@163.com>>
Cc:
"selinux@lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org>"
<selinux@lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org>>
Subject: Re: MCS confusing questions
Assuming that the svirt_t domain has policy to read svirt_tmp_t files from the MCS
perspective s0:c1,c2 dominates s0:c1.
On Tue, Apr 23, 2013 at 5:23 AM, bigclouds
<bigclouds@163.com<mailto:bigclouds@163.com>> wrote:
hi,
1. url
http://danwalsh.livejournal.com/63472.html
one place, you said s0:c1,c2 can access 4 MCS. include s0:c1
< span style="font: 13px/19px Helvetica, Arial, sans-serif; color: rgb(0, 0, 0);
text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; float:
none; display: inline !important; white-space: normal; background-color: rgb(255, 255,
255); -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;">but after a
while. you said
svirt_t:s0:c1,c2 would be able to read a svirt_tmp_t:s0:c1 file?
why?
2. why "svirt_t:s0:c1,c2 would be able to read a svirt_tmp_t:s0:c1 file", if it
is because s0:c1,c2 is higher level than s0:c1?
thanks
--
selinux mailing list
selinux@lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/selinux