Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing ListRE: help with an avc denial
From: Clarkson, Mike R \(US SSA\) <mike.clarkson_at_baesystems.com>
Date: Fri, 14 Dec 2007 14:01:17 -0800
> -----Original Message----- OK. My problem was that I had a range transition rule that specified a range for the file. Enforcing that files are single level eliminates the ability to use mlsrangedobject on them, which is applied via the mls_file_writable_within_range interface in mls.if (poorly named given that it can't work on ordinary files). I've used this for directories before but not files I guess. It's similar to mlstrustedobject, except that it can be applied to a range rather than all levels as mlstrustedobject does. Is there a good reason for forcing files to be at a single level? My thought was that for certain audit logs (or other files for that matter), I may want to enforce that only processes within a certain range be allowed to write to those files. Mlstrustedobject provides that capability, except that the following mls constraint eliminates it for ordinary files, symbolic links, and pipes: # make sure these file classes are "single level" mlsconstrain { file lnk_file fifo_file } { create relabelto } ( l2 eq h2 );
> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Fri 14 Dec 2007 - 17:01:46 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |