-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/17/2013 12:53 PM, Dominick Grift wrote: > On Wed, 2013-04-17 at 23:18 +0800, bigclouds wrote: >> a process can access a file , they have same MCS. the authority of >> access the file is its biggest authority or smallest authority? > > Not sure if i understand your question but the MCS range of the source > operating on the target needs to be exactly the same i believe > >> can anythings else the process have access to, besides the file? thanks >> > > Here are the MCS rules: > > https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/mcs > > You can look there to see how mcs affects the policy > >> >> >> >> >> >> >> >> At 2013-04-17 21:15:10,"Dominick Grift" <dominick.grift@xxxxxxxxx> >> wrote: >>> On Wed, 2013-04-17 at 17:49 +0800, bigclouds wrote: >>>> hi,all a qemu-kvm process and its disk(image file) have the same >>>> MCS(s0:c111,c555). it express this process have access to this >>>> image. i do not know the power to access its image file is the max or >>>> min? if any other power this process(domain) has?how much? i want to >>>> know the exact power a qemu-kvm process has besides access its image >>>> file ,other kinds of files,dirs etc. >>> >>> I do not fully understand your question and the information you >>> provided does not clarify the issues for me but: >>> >>> Here you can find the Fedora MCS rules: >>> >>> https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/mcs >>> >>> To see what all types have assigned the mcs_contrained_type attribute: >>> >>> seinfo -xamcs_constrained_type >>> >>>> >>>> my test case: after start a guestVM(its disk xml ,cache='none' >>>> error_policy='stop'), make some modification on its files and save >>>> them. then go to hypervisor, modify the MCS of guestVM's image file. >>>> 1.i can read those files(cache=none)?it s hould not be so. why? >>>> 2.then modify files and save, the guestVM hang, it is paused on UI. >>>> this is right qeum process can not write again. why this guestVM is >>>> hang? and can not be resumed 3.look at audit info. denied { write } >>>> for pid=52162 comm="qemu-kvm". that pid is 52162, is not my >>>> qemu-kvm's pid? why? >>>> >>>> thanks so much. >>>> >>>> >>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> >> >> > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Must be my day to blog. http://danwalsh.livejournal.com/#post-danwalsh-63472 This blog explains MCS Separation. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFu4swACgkQrlYvE4MpobPFQgCfe9ox/cyNWNAdWfs3/RvEFtpa bwsAn3i/PXK615K0lO0Y/CGjOW+pEyJj =4Iw0 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
