On 09/16/2015 04:36 PM, Mario Rosic wrote: > Hello, > > I have trouble understanding how MCS labels work, they are not being > enforced on my RHEL7 system even though selinux is "enforcing" and the > policy used is "targeted". I don't think I should be able to access > those files: > > backup@test ~ $ ls -lZ /tmp/accounts-users /tmp/accounts-admin > -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c3 > /tmp/accounts-admin > -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c99 > /tmp/accounts-users > backup@test ~ $ id > uid=1000(backup) gid=1000(backup) groups=1000(backup) > context=guest_u:guest_r:guest_t:s0:c1 > > root@test ~ # getenforce > Enforcing > > I can still access them even though they have different labels (c3 and > c99 as opposed to my user having c1). > backup@test ~ $ cat /tmp/accounts-users > domenico balance: -30 > backup@test ~ $ cat /tmp/accounts-admin > don't lend money to domenico > > Am I missing something? > > More info: > # semanage user -l > SELinux User Prefix MCS Level MCS Range > SELinux Roles > guest_u user s0 s0-s0:c0.c10 guest_r > > # semanage login -l > Login Name SELinux User MLS/MCS Range Service > __default__ user_u s0 * > backup guest_u s0:c1 * > > Regards, > Mario R > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > That's correct. Only some types are MCS aware in targeted policy by default. See $ seinfo -xamcs_constrained_type So in your case if you create a local policy like $ cat mymcs.te policy_module(mymcs,1.0) require{ type guest_t; } mcs_constrained(guest_t) then you will get expected behaviour. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux