On 03/25/2016 12:02 PM, Dominick Grift wrote: > I set out to try mcstransd again today. After doing to searching i > found a clue about the requirement to add accesscheck=1 to > setrans.conf to at least enable checking of the translate av perm. > > So i added a few auditallow rules that should catch at least some > checks however: nothing shows up in the logs. > > Either i am overlooking something or the mcstransd object manager is > broken Yes, I mentioned the lack of this access check in http://article.gmane.org/gmane.comp.security.selinux/22011 However, the mcscolor code within mcstrans still does a check of the context contains permission. This is only exercised if something calls selinux_raw_context_to_color() in libselinux, and if one has a secolor.conf. That was added for SELinux-aware graphical applications which display security contexts in order to associate color schemes with security contexts. Likely unused in Fedora but may be used in various MLS desktop solutions built on SELinux. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
