On Fri, 2010-06-11 at 00:48 +0800, Andy Warner wrote: > > On 6/10/2010 7:21 PM, Christopher J. PeBenito wrote: > > On Thu, 2010-06-10 at 19:12 +0800, Andy Warner wrote: > > > >> On 6/10/2010 7:09 PM, Christopher J. PeBenito wrote: > >> > >>> On Thu, 2010-06-10 at 17:15 +0800, Andy Warner wrote: > >>> > >>> > >>>> In the policy for the Trusted RUBIX DBMS, we assign file contexts > >>>> using the following (only one representative dir, 'backups', shown): > >>>> > >>>> ifdef(`enable_mls',` > >>>> /var/lib/RUBIXdbms/backups(/.*)? > >>>> gen_context(system_u:object_r:rubix_backup_t,mls_systemhigh) > >>>> ') > >>>> ifdef(`enable_mcs',` > >>>> /var/lib/RUBIXdbms/backups(/.*)? > >>>> gen_context(system_u:object_r:rubix_backup_t,mcs_systemhigh) > >>>> ') > >>>> > >>>> When using the mls policy, I get the expected level of mls_systemhigh > >>>> (s15:c0.c1023). But when using the targeted policy, I get an > >>>> unexpected value for mcs_systemhigh. I would expect to get > >>>> s0:c0.c1023, but get s0. I have verified this behavior on Fedora 9 and > >>>> 12. Is my assumption wrong about what mcs_systemhigh should be or am I > >>>> missing something? > >>>> > >>>> Relevant output from 'semanage fcontext -l' > >>>> /var/lib/RUBIXdbms/backups(/.*)? all files > >>>> system_u:object_r:rubix_backup_t:s0 > >>>> > >>>> > >>> Actually, you shouldn't need any of those ifdefs. The gen_context() > >>> macro is sensitive to if MLS or MCS is enabled. The first parameter is > >>> the first three fields of the context. The second parameter is the MLS > >>> label, and there is a third optional parameter to specify the MCS > >>> categories for the file (there are no examples in refpolicy). So this > >>> is sufficient: > >>> > >>> /var/lib/RUBIXdbms/backups(/.*)? gen_context(system_u:object_r:rubix_backup_t,mls_systemhigh,mcs_allcats) > >>> > >>> The thing to note is that gen_context() abstracts away the sensitivity > >>> (s0) portion of the label, so there is an mcs_allcats macro. > >>> > >>> > >> Thanks for the reply. So, then is the mcs_systemhigh basically meaningless? > >> > > Its useful for range transitions, eg: > > > > range_transition foo_t bar_t s0-mcs_systemhigh; > > > In this case, whill mcs_systemhigh evaluate to s0 or s0:c0.c1023? The latter. > We use the following to allow a transition to system high, expecting for > mcs that to be s0:c0.c1023. Should we expect that behavior or should we > use mcs_allcats here as well? > > ifdef(`enable_mls',` > range_transition $1 $2:process mls_systemhigh; > ') > ifdef(`enable_mcs',` > range_transition $1 $2:process mcs_systemhigh; > ') These are valid. > > Perhaps we should consider changing the gen_context() macro to accept > > mcs_systemhigh instead of mcs_allcats, for consistency. > > > At first glance it would sure seem mcs_systemhigh and mcs_allcats would > (should?) evaluate to the same thing. They don't. mcs_systemhigh = s0:c0.c1024 mcs_allcats = c0.c1024 Which is why I'm saying we should probably get rid of mcs_allcats and fix gen_context() to not add in the "s0:" for MCS. Then we wouldn't have this confusion. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
