On Fri, 2009-08-14 at 13:30 -0700, Sam Marshall wrote: > Hi, > > In FC11, is there a limit to the number of category elements that can > be compared to make access decisions using MCS? My understanding is > that up to 1024 categories can be assigned in setrans.conf, however, > only six or fewer categories can be used for comparision to make > access decisions. > > For example, when I assign a login user to 7 categories (e.g., s:0, > c1, c2, c5, c8, c11, c12, c19) and label a file with the exact same > categories number, permission is denied if the user tries to cat out > the file(Unix dacl permissions allow the user read access) > > When I assign less than 7 of the exact same categories to the file and > user, the user can open the file. > > I've tried using ranges (c2.c5, c10.c18, etc ), and found that there > appears to be a four element limitation with the range notation. > > Does this sound right? No, that sounds like a bug. Can you provide more specifics, please? The following worked for me just fine: # useradd foo # passwd foo # semanage login -a -s unconfined_u -r s0-s0:c0,c1,c2,c5,c8,c11,c12,c19 foo # ssh -l foo localhost $ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c2,c5,c8,c11,c12,c19 $ echo hello > foo $ chcon -l s0:c0.c2,c5,c8,c11,c12,c19 foo $ cat foo hello -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
