On Mon, 2005-10-31 at 14:49 -0500, Gene Czarcinski wrote: > I tried seting a category on a directory in /tmp and then (with touch) > creating a file under that directory. So far so good. > > I then ssh'ed into the system as another user which does not have those > categories defined in seusers. This user could access the file. This sounds > like a bug to me. Looks like the MCS constraints (as defined in policy/mcs) only constrain access to files, not directories, presently (and this is noted in a comment in that file, so it seems to be intentional). They do appear to work correctly for files. Use of categories on directories doesn't seem to be supported at present under MCS. > Also, is there a way that a category value can be propogated to all > files/directories below it? Hmmm...the current MLS logic inherits from the process' effective/current/low level rather than from the parent directory. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
