I played around a bit with using MCS under the targeted policy and wanted to provide some feedback. Adding labels for context levels doesn't seem to work quite right. For example: [root@cerberus ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=user_u:sysadm_r:unconfined_t [root@cerberus ~]# semanage translation -a -T test1 s0:c1 /etc/init.d/functions: line 19: /sbin/consoletype: Permission denied /etc/profile.d/lang.sh: line 49: /sbin/consoletype: Permission denied basename: write error: Permission denied basename: write error: Permission denied env: /etc/init.d/mcstrans: Permission denied I have to restart the mcstrans service to get the label names to show up. Having the context type for new files include all of the labels is a pain. While this is probably more safe from a forgetting to label a file perspective, it ends up labelling a lot of files you aren't going to be aware of. For example when I tried ending my experiment and took away access to categories, I found that some of my gnome profile files had been labelled with categories and I could no longer access them. I think some system updates I did during the experiment also resulted in files being labelled with categories as some of the gnome default files were inaccessible to me. While trying to fix this I found that chcat doesn't seem to do recursive labelling. While I could use find and xargs, a -r option would be nice. However, instead of trying find and xargs I tried fixfiles instead. The good and bad news is that fixfiles solved my immediate problem and the files were relabelled without categories. However, that suggests that if people are using MCS labelling and do a relabel of their system for some reason, all of the category labels are going to be lost. I think if I were going to use such a system, I would want to have a command to set the default category labels to apply (and another to check what they are set to). And I would want to make sure things like config files didn't get labelled. Working at the shell level this wouldn't be a problem, but if you are doing things from the desktop this would be harder to do. Maybe there could be a new context for a user's config files and those wouldn't get labelled the same as other files do by default. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
