On 07/22/16 09:41, Miroslav Grepl wrote:
Hi folks,
we define a MLS range for some directories in the policy and because we
have a SELinux support in rpm, we can end up with AVC msgs like
type=AVC msg=audit(1461664028.583:784): avc: denied { relabelto } for
pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147
scontext=root:system_r:rpm_t:s0
tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir
Does it make sense to have rpm_t running with a range or should we think
about a new MLS attribute for "file ( relableto )"?
Normally package managers aren't processing sensitive (in the MLS sense)
data. Creating objects higher than system low is an exceptional case,
so I'd go with a new MLS exception (attribute).
--
Chris PeBenito
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
