----- Original Message ----- > From: "Gionatan Danti" <g.danti@xxxxxxxxxx> > To: "Gary Tierney" <gary.tierney@xxxxxxx> > Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx > Sent: Wednesday, March 21, 2018 6:41:57 PM > Subject: Re: CentOS7 SELinux doesn't seem to adhere to MCS categories > > Il 21-03-2018 22:32 Gary Tierney ha scritto: > > Back in CentOS 6 every type was considered an "MCS constrained" type by > > default. > > > > CentOS 7 changed that behaviour by adding some constraints that only > > considered a type MCS constrained if it was associated with a given > > attribute > > (see: > > https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/mcs#L73). > > So now category/compartment dominance is only considered if you have an > > association between your type and the MCS attribute. > > Interesting. What is/was the reasoning behind the change? I would > naively expect a CentOS6-like approach rather than the new one. Is is > possible to revert the the old behavior with something as an > all-or-nothing switch? > The answer/reason for the change is under 'MCS Is different then type enforcement.' in the link below https://danwalsh.livejournal.com/73416.html > Thanks. > > -- > Danti Gionatan > Supporto Tecnico > Assyoma S.r.l. - www.assyoma.it > email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx > GPG public key ID: FF5F32A8 > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > -- Simon Sekidde gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
