MCS labels not being enforced
Mario Rosic
mail at rosicmario.eu
Thu Sep 17 08:56:24 UTC 2015
Thank you very much @Daniel Walsh & Miroslav Grepl!
It would be very nice if we had this information in the official RHEL7
documentation. I think I studied it thoroughly and still I lost a lot of
time because I expected MCS to work out of the box for SELinux Users
that I create.
Am 2015-09-16 um 23:33 schrieb Daniel J Walsh:
> I wrote a more detailed blog on this.
>
> http://danwalsh.livejournal.com/73416.html
>
> On 09/16/2015 04:55 PM, Daniel J Walsh wrote:
>> They are only confined on certain domains.
>>
>> seinfo -amcs_constrained_type -x
>> mcs_constrained_type
>> netlabel_peer_t
>> docker_apache_t
>> openshift_t
>> openshift_app_t
>> sandbox_min_t
>> sandbox_x_t
>> sandbox_web_t
>> sandbox_net_t
>> svirt_t
>> svirt_tcg_t
>> svirt_lxc_net_t
>> svirt_qemu_net_t
>> svirt_kvm_net_t
>>
>> If you add this attribute to a type it will start enforcing it.
>>
>> Adding a policy like this will confine guest_t
>>
>> policy_module(mymcs, 1.0)
>> gen_requite(`
>> type guest_t
>> ')
>>
>> typeattribute guest_t mcs_constrained_type;
More information about the selinux
mailing list