On Wed, 2013-04-17 at 23:18 +0800, bigclouds wrote: > a process can access a file , they have same MCS. > the authority of access the file is its biggest authority or smallest > authority? Not sure if i understand your question but the MCS range of the source operating on the target needs to be exactly the same i believe > can anythings else the process have access to, besides the file? > thanks > Here are the MCS rules: https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/mcs You can look there to see how mcs affects the policy > > > > > > > > At 2013-04-17 21:15:10,"Dominick Grift" <dominick.grift@xxxxxxxxx> wrote: > >On Wed, 2013-04-17 at 17:49 +0800, bigclouds wrote: > >> hi,all > >> a qemu-kvm process and its disk(image file) have the same > >> MCS(s0:c111,c555). it express this process have access to this image. > >> i do not know the power to access its image file is the max or min? > >> if any other power this process(domain) has?how much? > >> i want to know the exact power a qemu-kvm process has besides access > >> its image file ,other kinds of files,dirs etc. > > > >I do not fully understand your question and the information you provided > >does not clarify the issues for me but: > > > >Here you can find the Fedora MCS rules: > > > >https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/mcs > > > >To see what all types have assigned the mcs_contrained_type attribute: > > > >seinfo -xamcs_constrained_type > > > >> > >> my test case: > >> after start a guestVM(its disk xml ,cache='none' error_policy='stop'), > >> make some modification on its files and save them. > >> then go to hypervisor, modify the MCS of guestVM's image file. > >> 1.i can read those files(cache=none)?it s hould not be so. why? > >> 2.then modify files and save, the guestVM hang, it is paused on UI. > >> this is right qeum process can not write again. why this guestVM is > >> hang? and can not be resumed > >> 3.look at audit info. denied { write } for pid=52162 comm="qemu-kvm". > >> that pid is 52162, is not my qemu-kvm's pid? why? > >> > >> thanks so much. > >> > >> > >> -- > >> selinux mailing list > >> selinux@xxxxxxxxxxxxxxxxxxxxxxx > >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
