MCS Max Number of Category Element Comparisions?
Stephen Smalley
sds at tycho.nsa.gov
Mon Aug 17 11:29:11 UTC 2009
On Fri, 2009-08-14 at 13:30 -0700, Sam Marshall wrote:
> Hi,
>
> In FC11, is there a limit to the number of category elements that can
> be compared to make access decisions using MCS? My understanding is
> that up to 1024 categories can be assigned in setrans.conf, however,
> only six or fewer categories can be used for comparision to make
> access decisions.
>
> For example, when I assign a login user to 7 categories (e.g., s:0,
> c1, c2, c5, c8, c11, c12, c19) and label a file with the exact same
> categories number, permission is denied if the user tries to cat out
> the file(Unix dacl permissions allow the user read access)
>
> When I assign less than 7 of the exact same categories to the file and
> user, the user can open the file.
>
> I've tried using ranges (c2.c5, c10.c18, etc ), and found that there
> appears to be a four element limitation with the range notation.
>
> Does this sound right?
No, that sounds like a bug. Can you provide more specifics, please?
The following worked for me just fine:
# useradd foo
# passwd foo
# semanage login -a -s unconfined_u -r s0-s0:c0,c1,c2,c5,c8,c11,c12,c19 foo
# ssh -l foo localhost
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c2,c5,c8,c11,c12,c19
$ echo hello > foo
$ chcon -l s0:c0.c2,c5,c8,c11,c12,c19 foo
$ cat foo
hello
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list