Problem with upgrading a file sensitivity level with mls policy
Stephen Smalley
sds at tycho.nsa.gov
Thu Oct 5 17:42:50 UTC 2006
On Thu, 2006-10-05 at 12:32 -0400, Suchoski, Andrew wrote:
> Found my problem. I was concentrating on the domain - type access controls for relabelfrom/ relabelto and I forgot about the basic TE constrain that states
>
> constrain dir_file_class_set { create relabelto relabelfrom }
> ( u1 == u2 or t1 == can_change_object_identity );
>
> audit2allow doesn't help very much with that.
True. audit2why can at least diagnose whether it is constraint-related
or TE-related.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list