On Fri, 2008-12-05 at 19:46 -0500, Eamon Walsh wrote: > The attached C code uses the CONTEXT__CONTAINS permission check to check > dominance, and produces the following output on my mls box: > > staff_u:staff_r:staff_t:s15:c0.c255 dominates staff_u:staff_r:staff_t:s0 > > system_u:object_r:etc_t:s15:c0.c255 does not dominate system_u:object_r:etc_t:s0 > > > Why doesn't this check work in the second case? Likely due to a TE denial. The existing policy likely only has: allow domain self:context contains; as the original use case for this check was to apply a check between two subject contexts. If you want to use it for object contexts, you'll have to allow it for those types as well. > My color translation code has a config file that may contain lines such > as (paraphrasing): > range s0 = green > range s1 = yellow > range s1:c1 = blue > range s15:c0.c255 = red > > and so forth, which are matched with incoming contexts using a dominance > check. The observed behavior above is causing this not to work. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
