hi, thanks Russell Coker:
my last question is confusing
1.
there are two categoryies,c520 and c87,at most how many categories can exist in a label? c520,c87,c1,c2,c*....
2.
you said " In MCS to read a file a process needs to have every
category that the file has (or it needs to be in a domain that can override
the MCS controls)."
category that the file has (or it needs to be in a domain that can override
the MCS controls)."
as for a file, a process with same MCS must be a spicific type ? not all processes labeled any type with the same MCS can access the file? if i am right?
Only processes labeled svirt_t with the same MCS fields are able to read/write these image files and devices.
thanks
At 2014-01-02 17:53:56,"Russell Coker" <russell@xxxxxxxxxxxx> wrote: >On Thu, 2 Jan 2014, bigclouds <bigclouds@xxxxxxx> wrote: >> there are not many document about internal of selinux on the internet. >> could you answer my questions, thanks >> # ps -eZ | grep qemu-kvm >> system_u:system_r:svirt_t:s0:c87,c520 27950 ? 00:00:17 qemu-kvm >> >> 1.there, svirt_t is a domain or a type? how to create a new type , just a >> sample is ok > >In the way that SE Linux works internally there isn't a difference. With the >way the policy is written the attribute "domain" is applied to any type that >can be used for labelling a process. > ># ># init_t is the domain of the init process. ># >type init_t, initrc_transition_domain; >type init_exec_t; >domain_type(init_t) >domain_entry_file(init_t, init_exec_t) >kernel_domtrans_to(init_t, init_exec_t) >role system_r types init_t; > >Above is a snippet from init.te. It creates the "type" (where the word >applies to a policy language keyword) init_t and then uses the interface >"domain_type" to give it the attribute "domain". > >> 2.how to know how much authority , on how many files,dirs,sockets.... >> the process of qemu-kvm has? is there a command to show that? > >The commands "apol" and "sesearch" allow you to discover that. > >> 3. s0, if it can be s1,s2....(images have the same s*), if i do so , any >> other requirement? if type is targeted, if targeted has only one level, >> s0? in targeted case, s1,s2...is not valid? > >s1 only exists if you use the MLS (Multi Level Security) policy, which you >almost certainly aren't using (it's an advanced feature and not enabled by >default in any distribution you are likely to use). > >That level field in the label is also used by MCS (Multi Category Security) >which allows values such as "s0:c0" and "s0:c0,c3". Feel free to experiment >with that, you can use the command "runcon" to launch a process with a >different level and see what access it is permitted to have to files of >different level. > >> 4.what does s(sensitive) and c(class) mean? > >For MCS it's only s0 so it means nothing for you. MLS is more complex, master >MCS first. > >> 5. there are two class, c520,c87. what is the upper limit of class >> amount. > >The categories (not classes) are numbered from c0 to c1023, there are 1024 of >them but this is a policy compilation choice, you could rebuild the policy and >use more or less. In MCS to read a file a process needs to have every >category that the file has (or it needs to be in a domain that can override >the MCS controls). > >-- >My Main Blog http://etbe.coker.com.au/ >My Documents Blog http://doc.coker.com.au/
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
