From mboxrd@z Thu Jan  1 00:00:00 1970
Subject: Re: User range vs. context's range
To: Stephen Smalley <sds@tycho.nsa.gov>, SELinux List <selinux@tycho.nsa.gov>
References: <569FF52A.6040207@tresys.com> <569FFA78.2010302@tycho.nsa.gov>
From: "Christopher J. PeBenito" <cpebenito@tresys.com>
Message-ID: <56A0D998.7050409@tresys.com>
Date: Thu, 21 Jan 2016 08:14:00 -0500
MIME-Version: 1.0
In-Reply-To: <569FFA78.2010302@tycho.nsa.gov>
Content-Type: text/plain; charset="windows-1252"
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
 <selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>

On 1/20/2016 4:22 PM, Stephen Smalley wrote:
> On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote:
>> What is the intended behavior for a user's allowed range in the policy
>> vs. any labels in the policy (e.g. netifcon)?  My expectation is that
>> the allowed range should still apply, but it doesn't seem that
>> checkpolicy checks that, based on what I've seen.  For example, the new
>> sediff test policies have this user[1]:
>>
>> user added_user roles system level s1 range s1;
>>
>> and checkpolicy doesn't error on this[2] later in the policy:
>>
>> genfscon added_genfs / added_user:object_r:system:s0
>>
>> I think this should fail compilation since s0 is not in added_user's
>> allowed range.
> 
> Not for objects (object_r), same as with role-type relation.

I don't understand the logic for that.  For the role-type relation, all
types are implicitly added to object_r, which makes that behavior make
sense, but the user has an explicitly-stated allowed range.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com