I confused by the behavior of security_compute_av_raw in fedora rawhide
...
rc = security_compute_av_raw(ctx, raw, SECCLASS_CONTEXT,
CONTEXT__CONTAINS, &avd);
log_debug("ctx=%s raw=%s avd.allowed=%d rc=%d\n", ctx, raw,
avd.allowed, rc);
...
with ctx and raw identical user contexts, it works as expected:
ctx=user_u:user_r:user_t:s15:c0.c1023
raw=user_u:user_r:user_t:s15:c0.c1023 avd.allowed=2 rc=0
with ctx and raw identical system contexts, it behaves differently:
ctx=system_u:system_r:setrans_t:s15:c0.c1023
raw=system_u:system_r:setrans_t:s15:c0.c1023 avd.allowed=1 rc=0
both in mls/permissive. No obvious avcs.
joe
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
