Re: Using dyntransition to reduce privileges for Web application

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift <domg472@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2011 05:59 PM, Dominick Grift wrote:
> On 02/20/2011 06:31 AM, Scott Gifford wrote:
 [ ... ] 
>> OK, so I have started experimenting with this, but /proc is not behaving how
>> I expect so far.
>
>> So I open up two shells.  In the first I run:
>
>> runcon -l s0-s0:c0,c1 bash
>
>
>> and in the second:
>
>> runcon -l s0-s0:c0,c2 bash
>
>
>> So both should have access to c1, but only the first will have access to c1
>> and only the second will have access to c2.

Above I meant to say "both should have access to c0".
[ ... ] 
>> shell1$ *id -Z*
>> user_u:system_r:unconfined_t:-s0:c0,c1
>> shell1$ *ls -lZ /proc/10961/maps*
>> -r--r--r--  sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2
>> /proc/10961/maps
>> shell1$ *head -1 /proc/10961/maps*
>> 002ac000-002ad000 r-xp 002ac000 00:00 0          [vdso]
>
> from /policy/mcs:
>
> # Note:
> #  - getattr on dirs/files is not constrained.
> #  - /proc/pid operations are not constrained.
>
> so that explains the above

Ah, yes it does, thanks!  I wonder if I can adjust this policy to get different behavior, or if it's hardcoded somewhere outside the policy?

-------Scott.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux