[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: mls contraints on adding files to directories
From: "Clarkson, Mike R \(US SSA\)" <mike.clarkson () baesystems ! com>
Date: 2007-06-25 18:54:55
Message-ID: FB39F4E77226B448BC1388D3BE4E00CD01DBFA97 () blums0008 ! bluelnk ! net
[Download RAW message or body]
I think that I'm misunderstanding the mls constraints on adding files to
directories.
I thought that the following constraint would prevent adding a file at a
higher security level than the directory, unless the domain of the
writing process had been given the mlsfilewritetoclr attribute, or the
directory type had been given the mlstrustedobject attribute:
mlsconstrain dir { add_name remove_name reparent rmdir }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby
l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
However, I can use runcon to create a file at a higher level than the
directory. For example, I can do the following:
> runcon -l s3 touch /m2ds/import/datasources/inputBuffer/U/temp
> ls -Z /m2ds/import/datasources/inputBuffer/U/temp
-rw-r--r-- root root root:object_r:import_datasources_t:s3
/m2ds/import/datasources/inputBuffer/U/temp
> ls -dZ /m2ds/import/datasources/inputBuffer/U
drwxrwxr-x root m252 system_u:object_r:import_datasources_t:s1
/m2ds/import/datasources/inputBuffer/U
I'm able to do this with the policy in Enforcing mode.
So what is this mlsconstrain statement doing?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic