-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/20/2011 09:47 PM, Scott Gifford wrote: > On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift <domg472@xxxxxxxxx> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 02/20/2011 05:59 PM, Dominick Grift wrote: >>> On 02/20/2011 06:31 AM, Scott Gifford wrote: >> > [ ... ] > >>>> OK, so I have started experimenting with this, but /proc is not behaving >> how >>>> I expect so far. >>> >>>> So I open up two shells. In the first I run: >>> >>>> runcon -l s0-s0:c0,c1 bash >>> >>> >>>> and in the second: >>> >>>> runcon -l s0-s0:c0,c2 bash >>> >>> >>>> So both should have access to c1, but only the first will have access to >> c1 >>>> and only the second will have access to c2. >> > > Above I meant to say "both should have access to c0". > [ ... ] > >>>> shell1$ *id -Z* >>>> user_u:system_r:unconfined_t:-s0:c0,c1 >>>> shell1$ *ls -lZ /proc/10961/maps* >>>> -r--r--r-- sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2 >>>> /proc/10961/maps >>>> shell1$ *head -1 /proc/10961/maps* >>>> 002ac000-002ad000 r-xp 002ac000 00:00 0 [vdso] >>> >>> from /policy/mcs: >>> >>> # Note: >>> # - getattr on dirs/files is not constrained. >>> # - /proc/pid operations are not constrained. >>> >>> so that explains the above >> > > Ah, yes it does, thanks! I wonder if I can adjust this policy to get > different behavior, or if it's hardcoded somewhere outside the policy? > No, not hardcoded. This is just configuration (policy) you can define your own constraints, or modify existing ones. > -------Scott. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1hgf0ACgkQMlxVo39jgT/q8QCg1l/KxwnLWlLQYig14ZAzJmwN IXgAn1s8ziGtYEePGFlb7r8tX2CrTuvM =Kr3/ -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
