Re: MCS labels not being enforced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you very much @Daniel Walsh & Miroslav Grepl!

It would be very nice if we had this information in the official RHEL7
documentation. I think I studied it thoroughly and still I lost a lot of
time because I expected MCS to work out of the box for SELinux Users
that I create.

Am 2015-09-16 um 23:33 schrieb Daniel J Walsh:
> I wrote a more detailed blog on this.
>
> http://danwalsh.livejournal.com/73416.html
>
> On 09/16/2015 04:55 PM, Daniel J Walsh wrote:
>> They are only confined on certain domains.
>>
>> seinfo -amcs_constrained_type -x
>>    mcs_constrained_type
>>       netlabel_peer_t
>>       docker_apache_t
>>       openshift_t
>>       openshift_app_t
>>       sandbox_min_t
>>       sandbox_x_t
>>       sandbox_web_t
>>       sandbox_net_t
>>       svirt_t
>>       svirt_tcg_t
>>       svirt_lxc_net_t
>>       svirt_qemu_net_t
>>       svirt_kvm_net_t
>>
>> If you add this attribute to a type it will start enforcing it.
>>
>> Adding a policy like this will confine guest_t
>>
>> policy_module(mymcs, 1.0)
>> gen_requite(`
>>     type guest_t
>> ')
>>
>> typeattribute guest_t mcs_constrained_type;

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux