On Fri, 2009-10-02 at 12:07 -0400, Stephen Smalley wrote:
> On Fri, 2009-10-02 at 20:40 +0500, selinux@xxxxxxxx wrote:
> > Hello, everyone.
> > I'm just playing with MCS and trying to understand the system's behavior.
> >
> > As far as I have read the theory, categories can be used to limit unwanted user's
> > access to your data. So, I am trying to create a file, mark it with a category,
> > first time - the same as the process has. Then I write there some data and read it back.
> > That works OK and is as expected.
> > But when I change file's category to some other, that my testing process don't have,
> > to prevent the process from accessing that file, I discover that the process may read,
> > but cannot write (append) to that file:
> >
> > root@selinux1:/tmp# id
> > uid=0(root) gid=0(root) groups=0(root) context=root:sysadm_r:sysadm_t:s0:c0
> > root@selinux1:/tmp# ls -laZ test
> > -rw-r--r-- 1 root root system_u:object_r:sysadm_tmp_t:s0:c1 9 Oct 3 00:44 test
> > root@selinux1:/tmp# cat test
> > asfasdaf
> > root@selinux1:/tmp# cat >> test
> > bash: test: Permission denied
> > root@selinux1:/tmp# setenforce 0
> > root@selinux1:/tmp# cat >> test
> > blabla
> > root@selinux1:/tmp# cat test
> > asfasdaf
> > blabla
> >
> > When the process is at s0:c0, the file is at s0:c1, and in enforcing mode I expect
> > to have no access at all.
> >
> > I can only guess, that sysadm_t is in some way marked as a special type for
> > bypassing MCS constraints, but how can I proof/check that?
> > And if that is true, I still expect to have all access or no access at all,
> > but not the read only access.
> > Please, if there is nothing wrong with what I am seeing, tell where can I read
> > about that more?
>
> sysadm.te calls userdom_security_admin_template().
> userdom_security_admin_template() calls mls_file_read_all_levels().
> mls_file_read_all_levels() declares the type as having the mlsfileread
> type attribute.
>
> policy/mcs says:
> mlsconstrain file { read }
> (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
So it is operating in accordance with the policy configuration. As to
whether the policy configuration makes sense is another question, I
think.
I don't think MCS and MLS should be reusing each other's attributes in
constraints, as not everything that requires an exception under the one
will need an exception under the other.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
