Re: Label Translation on Fedora 9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stephen Smalley wrote: 
On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
  
I am running Fedora 9 with the MLS policy and see no evidence that the
label translation is enabled. I am using the default setrans.conf and
the "disable=1" flag is commented out.

Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
produces the exact same label string as passed in which will not pass
validation (using s15:c0.c1023 will pass validation). 

Trying id-Z followed by newrole produces:
id -Z
warner_u:secadm_r:secadm_t:s0-s15:c0.c1023

newrole -l SystemLow-SystemHigh
warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context

Is there something that must be done to activate label translation?
    

Label translation is provided by a daemon, mcstrans.

yum install mcstrans
/sbin/chkconfig mcstrans on
/sbin/service mcstrans start

Thanks. I was not starting the mcstrans service. When I get a translation, it seems odd as follows.

without mcstrans:
id -Z
warner_u:secadm_r:secadm_t:s0-s15:c0.c1023

with mcstrans:
id -Z
warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh

Is it expected to have the high end of the range expressed as a range? The translation table has the following relevant entries:
s0                             SystemLow
s0-s15:c0.c1023      SystemLow-SystemHigh


[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux