On 02/20/2015 12:08 PM, Stephen Smalley wrote:
> On 02/20/2015 11:56 AM, Tracy Reed wrote:
>> On Fri, Feb 20, 2015 at 05:38:55AM PST, Stephen Smalley spake thusly:
>>> Can you show the actual constraints on RHEL6? seinfo --constrain
>>> output, or grab the .src.rpm and pull out the mcs file.
>>
>> Here is the seinfo --constrain output from RHEL6. Thanks for having a look!
>
> Sigh. Not preserved in attribute form in that version. Ok, I grabbed
> selinux-policy-3.7.19-231.el6.src.rpm and extracted the mcs file from
> it; it has:
>
> mlsconstrain file { read ioctl lock execute execute_no_trans }
> (( h1 dom h2 ) or ( t1 == mcsreadall ) or
> (( t1 != mcsuntrustedproc ) and (t2 == domain)));
>
> which means:
>
> "Only allow read (or the other listed permissions) if the process high
> level dominates the file high level or the process type has the
> mcsreadall attribute or the process type does not have the
> mcsuntrustedproc attribute and the object type has the domain attribute
> (i.e. the object is a /proc/pid file)."
>
> So I'm guessing user_t has mcsreadall? What does seinfo -tuser_t -x |
> grep mcs show?
Also, can you confirm that the system is enforcing? getenforce?
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
