They are only confined on certain domains.
seinfo -amcs_constrained_type -x
mcs_constrained_type
netlabel_peer_t
docker_apache_t
openshift_t
openshift_app_t
sandbox_min_t
sandbox_x_t
sandbox_web_t
sandbox_net_t
svirt_t
svirt_tcg_t
svirt_lxc_net_t
svirt_qemu_net_t
svirt_kvm_net_t
If you add this attribute to a type it will start enforcing it.
Adding a policy like this will confine guest_t
policy_module(mymcs, 1.0)
gen_requite(`
type guest_t
')
typeattribute guest_t mcs_constrained_type;
On 09/16/2015 10:36 AM, Mario Rosic wrote:
> Hello,
>
> I have trouble understanding how MCS labels work, they are not being
> enforced on my RHEL7 system even though selinux is "enforcing" and the
> policy used is "targeted". I don't think I should be able to access
> those files:
>
> backup@test ~ $ ls -lZ /tmp/accounts-users /tmp/accounts-admin
> -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c3
> /tmp/accounts-admin
> -rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c99
> /tmp/accounts-users
> backup@test ~ $ id
> uid=1000(backup) gid=1000(backup) groups=1000(backup)
> context=guest_u:guest_r:guest_t:s0:c1
>
> root@test ~ # getenforce
> Enforcing
>
> I can still access them even though they have different labels (c3 and
> c99 as opposed to my user having c1).
> backup@test ~ $ cat /tmp/accounts-users
> domenico balance: -30
> backup@test ~ $ cat /tmp/accounts-admin
> don't lend money to domenico
>
> Am I missing something?
>
> More info:
> # semanage user -l
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
> guest_u user s0 s0-s0:c0.c10 guest_r
>
> # semanage login -l
> Login Name SELinux User MLS/MCS Range Service
> __default__ user_u s0 *
> backup guest_u s0:c1 *
>
> Regards,
> Mario R
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
