On 03/30/2015 08:37 AM, Dominick Grift wrote: > I vaguely recall me touching on the following before. I forgot what, if any, outcome there was. Consider the following: > > I have a constraint like this: > > (constrain (process (sigchld sigkill sigstop signull signal ptrace > getsched setsched getsession getpgid setpgid getcap setcap > share getattr setrlimit)) > (or (or (or (or (or (eq u1 u2) > (eq u1 system_u)) > (eq u1 staff_u)) > (eq u1 sysadm_u)) > (eq u2 system_u)) > (neq t1 ubac_constrained_subject_type))) > > The sysadm_u and staff_u identities are supposed to be optional and so I change the above to this: > > (constrain (process (sigchld sigkill sigstop signull signal ptrace > getsched setsched getsession getpgid setpgid getcap setcap > share getattr setrlimit)) > (or (or (or (eq u1 u2) > (eq u1 system_u)) > (eq u2 system_u)) > (neq t1 ubac_constrained_subject_type))) > > (optional staff > (constrain (process (sigchld sigkill sigstop signull signal ptrace > getsched setsched getsession getpgid setpgid getcap setcap > share getattr setrlimit)) > (eq u1 staff_u))) > > (optional sysadm > (constrain (process (sigchld sigkill sigstop signull signal ptrace > getsched setsched getsession getpgid setpgid getcap setcap > share getattr setrlimit)) > (eq u1 sysadm_u))) > > The above builds and seinfo shows the three blocks, but for some reason it is not honored. Eg. The First example works but the latter does not. > > Is this a known issue , or known limitation? Should this work? > > We have roleattributes, typeattributes but not identityattributes. Identityattributes would help with this requirement. > I agree, we would need an identityattribute (or userattribute for consistency) rule in CIL to support this. It probably wouldn't be too difficult to add since it would be very similar to how roleattributes work. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
