Re: MCS confusing questions

[Douglas Brown <d46.brown@xxxxxxxxxxxxxxxxxx>]

That's right, (ignoring mls/mcs attributes), the MCS policy for all restricted classes is simply: ( h1 dom h2 ) 

Depending on what distribution you're using, the classes that are restricted varies (for example, RHEL doesn't yet have network-related restrictions, but Fedora 18 does), however the file and database classes have been restricted upstream in the SELinux Reference Policy for quite some time and so should be available.

For a more detailed explanation of policy, see the related MLS article: http://trustedsubject.wordpress.com/2013/02/11/selinux-reference-policy-part-1-mls-constraints/

Cheers,

Doug

From: Ted Toth <txtoth@xxxxxxxxx>
Date: Wednesday, 24 April 2013 1:09 AM
To: bigclouds <bigclouds@xxxxxxx>
Cc: "selinux@xxxxxxxxxxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: MCS confusing questions

Assuming that the svirt_t domain has policy to read svirt_tmp_t files from the MCS perspective s0:c1,c2 dominates s0:c1.

On Tue, Apr 23, 2013 at 5:23 AM, bigclouds <bigclouds@xxxxxxx> wrote:

hi,

1. url http://danwalsh.livejournal.com/63472.html 

one place,  you said s0:c1,c2 can access 4 MCS. include s0:c1

< span style="font: 13px/19px Helvetica, Arial, sans-serif; color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; float: none; display: inline !important; white-space: normal; background-color: rgb(255, 255, 255); -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;">but after a while. you said

 svirt_t:s0:c1,c2 would be able to read a svirt_tmp_t:s0:c1 file?

 

why?

 

2. why "svirt_t:s0:c1,c2 would be able to read a svirt_tmp_t:s0:c1 file", if it is because s0:c1,c2 is higher level than s0:c1?

 

thanks

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux