On 02/20/2015 11:56 AM, Tracy Reed wrote:
> On Fri, Feb 20, 2015 at 05:38:55AM PST, Stephen Smalley spake thusly:
>> Can you show the actual constraints on RHEL6? seinfo --constrain
>> output, or grab the .src.rpm and pull out the mcs file.
>
> Here is the seinfo --constrain output from RHEL6. Thanks for having a look!
Sigh. Not preserved in attribute form in that version. Ok, I grabbed
selinux-policy-3.7.19-231.el6.src.rpm and extracted the mcs file from
it; it has:
mlsconstrain file { read ioctl lock execute execute_no_trans }
(( h1 dom h2 ) or ( t1 == mcsreadall ) or
(( t1 != mcsuntrustedproc ) and (t2 == domain)));
which means:
"Only allow read (or the other listed permissions) if the process high
level dominates the file high level or the process type has the
mcsreadall attribute or the process type does not have the
mcsuntrustedproc attribute and the object type has the domain attribute
(i.e. the object is a /proc/pid file)."
So I'm guessing user_t has mcsreadall? What does seinfo -tuser_t -x |
grep mcs show?
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
