What is the intended behavior for a user's allowed range in the policy vs. any labels in the policy (e.g. netifcon)? My expectation is that the allowed range should still apply, but it doesn't seem that checkpolicy checks that, based on what I've seen. For example, the new sediff test policies have this user[1]: user added_user roles system level s1 range s1; and checkpolicy doesn't error on this[2] later in the policy: genfscon added_genfs / added_user:object_r:system:s0 I think this should fail compilation since s0 is not in added_user's allowed range. [1] https://github.com/TresysTechnology/setools/blob/master/tests/diff_right.conf#L605 [2] https://github.com/TresysTechnology/setools/blob/master/tests/diff_right.conf#L633 -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
