Hello, I have trouble understanding how MCS labels work, they are not being enforced on my RHEL7 system even though selinux is "enforcing" and the policy used is "targeted". I don't think I should be able to access those files: backup@test ~ $ ls -lZ /tmp/accounts-users /tmp/accounts-admin -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c3 /tmp/accounts-admin -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c99 /tmp/accounts-users backup@test ~ $ id uid=1000(backup) gid=1000(backup) groups=1000(backup) context=guest_u:guest_r:guest_t:s0:c1 root@test ~ # getenforce Enforcing I can still access them even though they have different labels (c3 and c99 as opposed to my user having c1). backup@test ~ $ cat /tmp/accounts-users domenico balance: -30 backup@test ~ $ cat /tmp/accounts-admin don't lend money to domenico Am I missing something? More info: # semanage user -l SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0-s0:c0.c10 guest_r # semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ user_u s0 * backup guest_u s0:c1 * Regards, Mario R -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
