On Monday 31 October 2005 15:06, Stephen Smalley wrote: > On Mon, 2005-10-31 at 14:49 -0500, Gene Czarcinski wrote: > > I tried seting a category on a directory in /tmp and then (with touch) > > creating a file under that directory. So far so good. > > > > I then ssh'ed into the system as another user which does not have those > > categories defined in seusers. This user could access the file. This > > sounds like a bug to me. > > Looks like the MCS constraints (as defined in policy/mcs) only constrain > access to files, not directories, presently (and this is noted in a > comment in that file, so it seems to be intentional). They do appear to > work correctly for files. Use of categories on directories doesn't seem > to be supported at present under MCS. Yes, files work but not directories ... this is not intuitive (not expected). > > > Also, is there a way that a category value can be propogated to all > > files/directories below it? > > Hmmm...the current MLS logic inherits from the process' > effective/current/low level rather than from the parent directory. Whether MCS or MLS, if a user without the category/compartment can "blast through" the directory, this will be unexpected behavior. Gene -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
