question about process power which has MCSx
Daniel J Walsh
dwalsh at redhat.com
Wed Apr 17 17:58:36 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/17/2013 12:53 PM, Dominick Grift wrote:
> On Wed, 2013-04-17 at 23:18 +0800, bigclouds wrote:
>> a process can access a file , they have same MCS. the authority of
>> access the file is its biggest authority or smallest authority?
>
> Not sure if i understand your question but the MCS range of the source
> operating on the target needs to be exactly the same i believe
>
>> can anythings else the process have access to, besides the file? thanks
>>
>
> Here are the MCS rules:
>
> https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/mcs
>
> You can look there to see how mcs affects the policy
>
>>
>>
>>
>>
>>
>>
>>
>> At 2013-04-17 21:15:10,"Dominick Grift" <dominick.grift at gmail.com>
>> wrote:
>>> On Wed, 2013-04-17 at 17:49 +0800, bigclouds wrote:
>>>> hi,all a qemu-kvm process and its disk(image file) have the same
>>>> MCS(s0:c111,c555). it express this process have access to this
>>>> image. i do not know the power to access its image file is the max or
>>>> min? if any other power this process(domain) has?how much? i want to
>>>> know the exact power a qemu-kvm process has besides access its image
>>>> file ,other kinds of files,dirs etc.
>>>
>>> I do not fully understand your question and the information you
>>> provided does not clarify the issues for me but:
>>>
>>> Here you can find the Fedora MCS rules:
>>>
>>> https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/mcs
>>>
>>> To see what all types have assigned the mcs_contrained_type attribute:
>>>
>>> seinfo -xamcs_constrained_type
>>>
>>>>
>>>> my test case: after start a guestVM(its disk xml ,cache='none'
>>>> error_policy='stop'), make some modification on its files and save
>>>> them. then go to hypervisor, modify the MCS of guestVM's image file.
>>>> 1.i can read those files(cache=none)?it s hould not be so. why?
>>>> 2.then modify files and save, the guestVM hang, it is paused on UI.
>>>> this is right qeum process can not write again. why this guestVM is
>>>> hang? and can not be resumed 3.look at audit info. denied { write }
>>>> for pid=52162 comm="qemu-kvm". that pid is 52162, is not my
>>>> qemu-kvm's pid? why?
>>>>
>>>> thanks so much.
>>>>
>>>>
>>>> -- selinux mailing list selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>
>>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Must be my day to blog.
http://danwalsh.livejournal.com/#post-danwalsh-63472
This blog explains MCS Separation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFu4swACgkQrlYvE4MpobPFQgCfe9ox/cyNWNAdWfs3/RvEFtpa
bwsAn3i/PXK615K0lO0Y/CGjOW+pEyJj
=4Iw0
-----END PGP SIGNATURE-----
More information about the selinux
mailing list