On 02/20/2011 09:47 PM, Scott Gifford wrote:
> On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift <domg472@xxxxxxxxx> wrote:
[ ... ]
No, not hardcoded. This is just configuration (policy) you can define>>> from /policy/mcs:
>>>
>>> # Note:
>>> # - getattr on dirs/files is not constrained.
>>> # - /proc/pid operations are not constrained.
>>>
>>> so that explains the above
>>
>
> Ah, yes it does, thanks! I wonder if I can adjust this policy to get
> different behavior, or if it's hardcoded somewhere outside the policy?
>
your own constraints, or modify existing ones.
OK, I think I've got this. I removed the "or ( t2 == domain )" from these rules in policy/mcs:
- mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
- mlsconstrain file { read }
- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
and I seem to be getting the behavior I want. Anybody see any risks or downsides to this?
For long-term maintenance, it looks like I can't override this in my own module, I will need to patch the base policy, maybe by adding another patch to the serefpolicy-2.4.6 RPM specfile and maintaining this by hand? Is there a better way to maintain customizations to the base policy?
I think I can automatically generate a unique category set from a PID by using two MCS categories to represent each bit of the PID, the first for a 0-bit and the second for a 1-bit. That will take 32 categories for a 16-bit PID, which seems reasonable.
Thanks for the help!
-----Scott.
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
