MCS labels not being enforced
Mario Rosic
mail at rosicmario.eu
Wed Sep 16 14:36:35 UTC 2015
Hello,
I have trouble understanding how MCS labels work, they are not being
enforced on my RHEL7 system even though selinux is "enforcing" and the
policy used is "targeted". I don't think I should be able to access
those files:
backup at test ~ $ ls -lZ /tmp/accounts-users /tmp/accounts-admin
-rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c3
/tmp/accounts-admin
-rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c99
/tmp/accounts-users
backup at test ~ $ id
uid=1000(backup) gid=1000(backup) groups=1000(backup)
context=guest_u:guest_r:guest_t:s0:c1
root at test ~ # getenforce
Enforcing
I can still access them even though they have different labels (c3 and
c99 as opposed to my user having c1).
backup at test ~ $ cat /tmp/accounts-users
domenico balance: -30
backup at test ~ $ cat /tmp/accounts-admin
don't lend money to domenico
Am I missing something?
More info:
# semanage user -l
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0-s0:c0.c10 guest_r
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ user_u s0 *
backup guest_u s0:c1 *
Regards,
Mario R
More information about the selinux
mailing list