From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <43C2CD73.1000006@redhat.com> Date: Mon, 09 Jan 2006 15:54:11 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: Stephen Smalley CC: James Morris , SE Linux Subject: Re: MLS/MCS Constraints causing problems for unconfined_t. References: <43C28BB0.1070601@redhat.com> <1136824820.19934.64.camel@moss-spartans.epoch.ncsc.mil> In-Reply-To: <1136824820.19934.64.camel@moss-spartans.epoch.ncsc.mil> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Stephen Smalley wrote: > On Mon, 2006-01-09 at 11:13 -0500, Daniel J Walsh wrote: > >> Currently unconfined_t can not read the pid of certain domains in >> targeted policy that are running at s0-s0:c0.c255 >> For instance audit2allow will give the following after a reboot. since >> the shutdown process tries to killall processes and reads these. >> >> allow unconfined_t auditd_t:file read; >> allow unconfined_t crond_t:file read; >> allow unconfined_t cupsd_t:file read; >> allow unconfined_t hald_t:file read; >> allow unconfined_t udev_t:file read; >> allow unconfined_t self:file read; >> allow unconfined_t xdm_t:file read; >> >> Also if a sysadm run top it will generate this kind of AVC messages. >> These are somewhat expected, should we dontaudit these? Will dontaudit >> work on an MLS Constraint failure? >> > > For MCS, the obvious question is why are these domains running ranged? > Things like login programs need to allow the user to login at certain ranges via seusers. So if I can login as s0-s0:c0,c4 login programs and cron need to be able to start jobs at that level. Similarly if cups needs to be able to print labeled files. > For MLS, is unconfined_t used? > > dontaudit will suppress audit messages caused by a constraint if the > types and class match. > > No but I just see top as staff user triggering lots of AVC. So Iguess we should allow and dontaudit them. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.