On 02/19/2015 07:34 PM, Tracy Reed wrote: > but when I try to test that it is being MCS restricted nothing gets denied: > > -bash-4.1$ cd /nodes/p16001/ > -bash-4.1$ ls > testfile > -bash-4.1$ > -bash-4.1$ id -Z > p16001_u:user_r:user_t:p16001 > -bash-4.1$ ls -laZ > drwxr-xr-x. p16001 p16001 user_u:object_r:default_t:p16001 . > drwxr-xr-x. root root system_u:object_r:default_t:SystemLow .. > -rw-r--r--. p16001 p16001 user_u:object_r:default_t:p16001 testfile > -bash-4.1$ cat testfile > I am 16001 > -bash-4.1$ cd ../p16002/ > -bash-4.1$ ls -laZ > drwxr-xr-x. p16002 p16002 user_u:object_r:default_t:p16002 . > drwxr-xr-x. root root system_u:object_r:default_t:SystemLow .. > -rw-r--r--. p16002 p16002 user_u:object_r:default_t:p16002 testfile > -bash-4.1$ cat testfile > I am 16002 > > to my understanding user p16001 with only category p16001 should not be able to > read this file of category p16002. Can you show the actual constraints on RHEL6? seinfo --constrain output, or grab the .src.rpm and pull out the mcs file. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
