On Fri, Oct 02, 2009 at 08:40:12PM +0500, selinux@xxxxxxxx wrote: > Hello, everyone. > I'm just playing with MCS and trying to understand the system's behavior. > > As far as I have read the theory, categories can be used to limit unwanted user's > access to your data. So, I am trying to create a file, mark it with a category, > first time - the same as the process has. Then I write there some data and read it back. > That works OK and is as expected. > But when I change file's category to some other, that my testing process don't have, > to prevent the process from accessing that file, I discover that the process may read, > but cannot write (append) to that file: > > root@selinux1:/tmp# id > uid=0(root) gid=0(root) groups=0(root) context=root:sysadm_r:sysadm_t:s0:c0 > root@selinux1:/tmp# ls -laZ test > -rw-r--r-- 1 root root system_u:object_r:sysadm_tmp_t:s0:c1 9 Oct 3 00:44 test > root@selinux1:/tmp# cat test > asfasdaf > root@selinux1:/tmp# cat >> test > bash: test: Permission denied > root@selinux1:/tmp# setenforce 0 > root@selinux1:/tmp# cat >> test > blabla > root@selinux1:/tmp# cat test > asfasdaf > blabla > > When the process is at s0:c0, the file is at s0:c1, and in enforcing mode I expect > to have no access at all. > > I can only guess, that sysadm_t is in some way marked as a special type for > bypassing MCS constraints, but how can I proof/check that? > And if that is true, I still expect to have all access or no access at all, > but not the read only access. > Please, if there is nothing wrong with what I am seeing, tell where can I read > about that more? > > Thanks. Whoops i was wrong. That was process_read_up not file so i guess it is because userdom_security_admin_template(sysadm_t, sysadm_r) like ssmalley say's i guess the policy is built with mls enabled. > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message.
Attachment:
pgpWYwJ5qwsjT.pgp
Description: PGP signature
