On 09/17/2015 10:56 AM, Mario Rosic wrote: > Thank you very much @Daniel Walsh & Miroslav Grepl! > > It would be very nice if we had this information in the official RHEL7 > documentation. I think I studied it thoroughly and still I lost a lot of > time because I expected MCS to work out of the box for SELinux Users > that I create. That's a good point. You can open a new bug with this request, if possible. Thank you. > > Am 2015-09-16 um 23:33 schrieb Daniel J Walsh: >> I wrote a more detailed blog on this. >> >> http://danwalsh.livejournal.com/73416.html >> >> On 09/16/2015 04:55 PM, Daniel J Walsh wrote: >>> They are only confined on certain domains. >>> >>> seinfo -amcs_constrained_type -x >>> mcs_constrained_type >>> netlabel_peer_t >>> docker_apache_t >>> openshift_t >>> openshift_app_t >>> sandbox_min_t >>> sandbox_x_t >>> sandbox_web_t >>> sandbox_net_t >>> svirt_t >>> svirt_tcg_t >>> svirt_lxc_net_t >>> svirt_qemu_net_t >>> svirt_kvm_net_t >>> >>> If you add this attribute to a type it will start enforcing it. >>> >>> Adding a policy like this will confine guest_t >>> >>> policy_module(mymcs, 1.0) >>> gen_requite(` >>> type guest_t >>> ') >>> >>> typeattribute guest_t mcs_constrained_type; > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
