Using dyntransition to reduce privileges for Web application

Scott Gifford sgifford at suspectclass.com
Sun Feb 20 20:47:01 UTC 2011


On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift <domg472 at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/20/2011 05:59 PM, Dominick Grift wrote:
> > On 02/20/2011 06:31 AM, Scott Gifford wrote:
>
 [ ... ]

> >> OK, so I have started experimenting with this, but /proc is not behaving
> how
> >> I expect so far.
> >
> >> So I open up two shells.  In the first I run:
> >
> >> runcon -l s0-s0:c0,c1 bash
> >
> >
> >> and in the second:
> >
> >> runcon -l s0-s0:c0,c2 bash
> >
> >
> >> So both should have access to c1, but only the first will have access to
> c1
> >> and only the second will have access to c2.
>

Above I meant to say "both should have access to c0".
[ ... ]

> >> shell1$ *id -Z*
> >> user_u:system_r:unconfined_t:-s0:c0,c1
> >> shell1$ *ls -lZ /proc/10961/maps*
> >> -r--r--r--  sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2
> >> /proc/10961/maps
> >> shell1$ *head -1 /proc/10961/maps*
> >> 002ac000-002ad000 r-xp 002ac000 00:00 0          [vdso]
> >
> > from /policy/mcs:
> >
> > # Note:
> > #  - getattr on dirs/files is not constrained.
> > #  - /proc/pid operations are not constrained.
> >
> > so that explains the above
>

Ah, yes it does, thanks!  I wonder if I can adjust this policy to get
different behavior, or if it's hardcoded somewhere outside the policy?

-------Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110220/fd3055e8/attachment.html 


More information about the selinux mailing list