MLS dominance check behavior on el7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

We currently have code running on el6 that does a MLS dominance check by calling security_compute_av_raw with the security object class SECCLASS_CONTEXT with permission CONTEXT__CONTAINS as you can see in the python code below. When I run this code on el6 s1 dominates s0 however when I run the same code on el7 s1 does not dominate s0. On both systems the file read dominance check works as expected. Can anyone help me understand why the context contains check does not work the same on both systems? 

Ted

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

import selinux

SECCLASS_CONTEXT = selinux.string_to_security_class("context")
CONTEXT__CONTAINS = selinux.string_to_av_perm(SECCLASS_CONTEXT, "contains")
SECCLASS_FILE = selinux.string_to_security_class("file")
FILE__READ = selinux.string_to_av_perm(SECCLASS_FILE, "read")

raw_con1 = "user_u:user_r:user_t:s1"
raw_con2 = "user_u:user_r:user_t:s0"

avd = selinux.av_decision()
selinux.avc_reset()
try:
    rc = selinux.security_compute_av_raw(raw_con1, raw_con2, SECCLASS_CONTEXT, CONTEXT__CONTAINS, avd)
    if rc < 0:
        print("selinux.security_compute_av_raw failed for %s %s" % (raw_con1, raw_con2))
    if (avd.allowed & CONTEXT__CONTAINS) == CONTEXT__CONTAINS:
        print("%s dominates %s" % (raw_con1, raw_con2))
    else:
        print("%s does not dominate %s" % (raw_con1, raw_con2))
except OSError, ex:
    print "exception calling selinux.security_compute_av_raw", ex

avd = selinux.av_decision()
selinux.avc_reset()
try:
    rc = selinux.security_compute_av_raw(raw_con1, raw_con2, SECCLASS_FILE, FILE__READ, avd)
    if rc < 0:
        print("selinux.security_compute_av_raw failed for %s %s" % (raw_con1, raw_con2))
    if (avd.allowed & FILE__READ) == FILE__READ:
        print("%s dominates %s" % (raw_con1, raw_con2))
    else:
        print("%s does not dominate %s" % (raw_con1, raw_con2))

except OSError:
    print "exception calling selinux.security_compute_av_raw", ex

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux