Hello, The user level is currently used as the range for files under HOME_DIR. It appears that the Bell-LaPadula model makes the assumption that all objects are single leveled, this assumption is also made in libsepol. (I haven't really found a good source for this assumption) But in my own (MCS) policy objects are not single leveled. Read (and process communication) operations are allowed if a processes high level dominates an objects low level. Write operations are allowed if a processes high level dominates an objects high level. Later I've found that someone else had also come up with this idea independently, see https://lore.kernel.org/selinux/20091103114530.GH1672@xxxxxxxxxxxxxxxxxxx/ and https://lore.kernel.org/selinux/20091125202727.GD1649@xxxxxxxxxxxxxxxxxxx/ . For this I want to label files under HOME_DIR with the range user_lowest-user_highest. Ignoring process communication this would prevent a login with less than maximum clearance from escalating by writing to e.g. ~/.bashrc . For example a user with the range s0-s0:c0.c3 would have his home files labeled as s0-s0:c0.c3. A local tty login with the maximum clearance s0-s0:c0.c3 would be able to edit ~/.bashrc . But an ssh login from e.g. an insecure network with only the range s0-s0:c1 would be able to read but not write important files such as ~/.bashrc . Using user_highest-user_highest as user level would force the user to correct the context of potentially a lot of files required by whatever is run with less than user_highest high, so I want to avoid this. Would it make sense to change libsepol to accept a range as user level (and perhaps changing the name) ? -- bauen1 https://dn42.bauen1.xyz/
