On 03/30/2015 08:37 AM, Dominick Grift wrote: > I vaguely recall me touching on the following before. I forgot what, if any, outcome there was. Consider the following: > > I have a constraint like this: > > (constrain (process (sigchld sigkill sigstop signull signal ptrace > getsched setsched getsession getpgid setpgid getcap setcap > share getattr setrlimit)) > (or (or (or (or (or (eq u1 u2) > (eq u1 system_u)) > (eq u1 staff_u)) > (eq u1 sysadm_u)) > (eq u2 system_u)) > (neq t1 ubac_constrained_subject_type))) > > The sysadm_u and staff_u identities are supposed to be optional and so I change the above to this: > > (constrain (process (sigchld sigkill sigstop signull signal ptrace > getsched setsched getsession getpgid setpgid getcap setcap > share getattr setrlimit)) > (or (or (or (eq u1 u2) > (eq u1 system_u)) > (eq u2 system_u)) > (neq t1 ubac_constrained_subject_type))) > > (optional staff > (constrain (process (sigchld sigkill sigstop signull signal ptrace > getsched setsched getsession getpgid setpgid getcap setcap > share getattr setrlimit)) > (eq u1 staff_u))) > > (optional sysadm > (constrain (process (sigchld sigkill sigstop signull signal ptrace > getsched setsched getsession getpgid setpgid getcap setcap > share getattr setrlimit)) > (eq u1 sysadm_u))) > > The above builds and seinfo shows the three blocks, but for some reason it is not honored. Eg. The First example works but the latter does not. > > Is this a known issue , or known limitation? Should this work? > > We have roleattributes, typeattributes but not identityattributes. Identityattributes would help with this requirement. I can't speak to the CIL aspects of this, but as far as kernel policy is concerned, if you write multiple constraints on a single class/permission, then each constraint must evaluate to true in order for the permission to be allowed, i.e. they are ANDed, not ORed. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
