From: Stephen Smalley <sds@tycho.nsa.gov>
To: Tracy Reed <treed@ultraviolet.org>
Cc: selinux@tycho.nsa.gov
Subject: Re: MCS error
Date: Fri, 20 Feb 2015 12:33:09 -0500 [thread overview]
Message-ID: <54E76FD5.1080905@tycho.nsa.gov> (raw)
In-Reply-To: <54E769FA.8010801@tycho.nsa.gov>
On 02/20/2015 12:08 PM, Stephen Smalley wrote:
> On 02/20/2015 11:56 AM, Tracy Reed wrote:
>> On Fri, Feb 20, 2015 at 05:38:55AM PST, Stephen Smalley spake thusly:
>>> Can you show the actual constraints on RHEL6? seinfo --constrain
>>> output, or grab the .src.rpm and pull out the mcs file.
>>
>> Here is the seinfo --constrain output from RHEL6. Thanks for having a look!
>
> Sigh. Not preserved in attribute form in that version. Ok, I grabbed
> selinux-policy-3.7.19-231.el6.src.rpm and extracted the mcs file from
> it; it has:
>
> mlsconstrain file { read ioctl lock execute execute_no_trans }
> (( h1 dom h2 ) or ( t1 == mcsreadall ) or
> (( t1 != mcsuntrustedproc ) and (t2 == domain)));
>
> which means:
>
> "Only allow read (or the other listed permissions) if the process high
> level dominates the file high level or the process type has the
> mcsreadall attribute or the process type does not have the
> mcsuntrustedproc attribute and the object type has the domain attribute
> (i.e. the object is a /proc/pid file)."
>
> So I'm guessing user_t has mcsreadall? What does seinfo -tuser_t -x |
> grep mcs show?
Also, can you confirm that the system is enforcing? getenforce?
next prev parent reply other threads:[~2015-02-20 17:33 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-19 1:48 MCS error Tracy Reed
2015-02-19 13:23 ` Stephen Smalley
2015-02-19 15:40 ` Dominick Grift
2015-02-19 19:33 ` Tracy Reed
2015-02-19 19:46 ` Stephen Smalley
2015-02-19 20:17 ` Tracy Reed
2015-02-19 20:27 ` Stephen Smalley
2015-02-19 21:14 ` Dominick Grift
2015-02-19 20:48 ` Dominick Grift
2015-02-19 21:26 ` Thomas Hurd
2015-02-20 0:34 ` Tracy Reed
2015-02-20 2:02 ` Tracy Reed
2015-02-20 7:33 ` Dominick Grift
2015-02-20 23:27 ` Tracy Reed
2015-02-20 23:38 ` Joshua Brindle
2015-02-21 13:07 ` Dominick Grift
2015-02-20 17:44 ` Stephen Smalley
2015-02-20 13:38 ` Stephen Smalley
2015-02-20 16:56 ` Tracy Reed
2015-02-20 17:08 ` Stephen Smalley
2015-02-20 17:33 ` Stephen Smalley [this message]
2015-02-20 22:10 ` Tracy Reed
2015-02-23 14:43 ` Stephen Smalley
2015-02-20 22:07 ` Tracy Reed
2015-02-19 16:19 ` Stephen Smalley
2015-02-19 19:58 ` Tracy Reed
2015-02-19 20:24 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54E76FD5.1080905@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=treed@ultraviolet.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.