MCS Policy.

MCS Policy.

[Daniel J Walsh]

I have now added the following range_transitions to mcs policy
+range_transition init_t getty_exec_t s0 - s0:c0.c127;
+range_transition getty_t login_exec_t s0 - s0:c0.c127;
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c127;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c127;

Kernel is starting out with s0. 

The only problem I am seeing now is initrc wants to read the processs 
pid on a killall and gets denials for getty, login, udev and cups.  Is 
there an easy way to allow this without increasing initrc's range?



I am also having problems getting root to login with s0-s0:c0.127

Seems to always transiton to s0.

In targetd policy local login logs root in as
user_u:system_r:unconfined_t:s0

ssh and su logs in as
root:system_r:unconfined_t:s0

/etc/selinux/targeted/contexts/users/root looks like

system_r:unconfined_t:s0       system_r:unconfined_t:s0 - s0:c0.c127
system_r:initrc_t:s0   system_r:unconfined_t:s0 - s0:c0.c127
system_r:local_login_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
system_r:remote_login_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
system_r:rshd_t:s0             system_r:unconfined_t:s0 - s0:c0.c127
system_r:crond_t:s0    system_r:unconfined_t:s0 - s0:c0.c127

Dan
-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

mcs policy

[Justin Mattock]

[-- Attachment #1: Type: text/plain, Size: 446 bytes --]

Hello I was wondering if this is possible with the mcs policy: when using
firefox I would issue newrole -r user_r -l s0-s0:c10.c20 then start firefox
with these numbers, then if I wanted to start streamtuner issue newrole -r
user_r -l s0-s0:c190.c200 to listen to music. Now I've noticed when I'm in
the firefox role and categories streamtuner still starts, is there a way to
keep this from happening?
regards;
               --Justin P. Mattock

[-- Attachment #2: Type: text/html, Size: 536 bytes --]

Re: mcs policy

[Stephen Smalley]

On Thu, 2008-01-24 at 16:06 -0800, Justin Mattock wrote:
> Hello I was wondering if this is possible with the mcs policy: when
> using firefox I would issue newrole -r user_r -l s0-s0:c10.c20 then
> start firefox with these numbers, then if I wanted to start
> streamtuner issue newrole -r user_r -l s0-s0: c190.c200 to listen to
> music. Now I've noticed when I'm in the firefox role and categories
> streamtuner still starts, is there a way to keep this from happening? 

I'd suggest just using the TE policy, and defining different domains for
firefox and streamtuner.  I don't think MCS is really what you want
there - it is a user-oriented access control scheme.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.