Hello, everyone. I'm just playing with MCS and trying to understand the system's behavior. As far as I have read the theory, categories can be used to limit unwanted user's access to your data. So, I am trying to create a file, mark it with a category, first time - the same as the process has. Then I write there some data and read it back. That works OK and is as expected. But when I change file's category to some other, that my testing process don't have, to prevent the process from accessing that file, I discover that the process may read, but cannot write (append) to that file: root@selinux1:/tmp# id uid=0(root) gid=0(root) groups=0(root) context=root:sysadm_r:sysadm_t:s0:c0 root@selinux1:/tmp# ls -laZ test -rw-r--r-- 1 root root system_u:object_r:sysadm_tmp_t:s0:c1 9 Oct 3 00:44 test root@selinux1:/tmp# cat test asfasdaf root@selinux1:/tmp# cat >> test bash: test: Permission denied root@selinux1:/tmp# setenforce 0 root@selinux1:/tmp# cat >> test blabla root@selinux1:/tmp# cat test asfasdaf blabla When the process is at s0:c0, the file is at s0:c1, and in enforcing mode I expect to have no access at all. I can only guess, that sysadm_t is in some way marked as a special type for bypassing MCS constraints, but how can I proof/check that? And if that is true, I still expect to have all access or no access at all, but not the read only access. Please, if there is nothing wrong with what I am seeing, tell where can I read about that more? Thanks. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
