More MCS
Gene Czarcinski
gene at czarc.net
Mon Oct 31 22:04:01 UTC 2005
On Monday 31 October 2005 15:06, Stephen Smalley wrote:
> On Mon, 2005-10-31 at 14:49 -0500, Gene Czarcinski wrote:
> > I tried seting a category on a directory in /tmp and then (with touch)
> > creating a file under that directory. So far so good.
> >
> > I then ssh'ed into the system as another user which does not have those
> > categories defined in seusers. This user could access the file. This
> > sounds like a bug to me.
>
> Looks like the MCS constraints (as defined in policy/mcs) only constrain
> access to files, not directories, presently (and this is noted in a
> comment in that file, so it seems to be intentional). They do appear to
> work correctly for files. Use of categories on directories doesn't seem
> to be supported at present under MCS.
Yes, files work but not directories ... this is not intuitive (not expected).
>
> > Also, is there a way that a category value can be propogated to all
> > files/directories below it?
>
> Hmmm...the current MLS logic inherits from the process'
> effective/current/low level rather than from the parent directory.
Whether MCS or MLS, if a user without the category/compartment can "blast
through" the directory, this will be unexpected behavior.
Gene
More information about the fedora-selinux-list
mailing list