-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2011 09:47 PM, Scott Gifford wrote:
On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift domg472@gmail.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2011 05:59 PM, Dominick Grift wrote:
On 02/20/2011 06:31 AM, Scott Gifford wrote:
[ ... ]
OK, so I have started experimenting with this, but /proc is not behaving
how
I expect so far.
So I open up two shells. In the first I run:
runcon -l s0-s0:c0,c1 bash
and in the second:
runcon -l s0-s0:c0,c2 bash
So both should have access to c1, but only the first will have access to
c1
and only the second will have access to c2.
Above I meant to say "both should have access to c0". [ ... ]
shell1$ *id -Z* user_u:system_r:unconfined_t:-s0:c0,c1 shell1$ *ls -lZ /proc/10961/maps* -r--r--r-- sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2 /proc/10961/maps shell1$ *head -1 /proc/10961/maps* 002ac000-002ad000 r-xp 002ac000 00:00 0 [vdso]
from /policy/mcs:
# Note: # - getattr on dirs/files is not constrained. # - /proc/pid operations are not constrained.
so that explains the above
Ah, yes it does, thanks! I wonder if I can adjust this policy to get different behavior, or if it's hardcoded somewhere outside the policy?
No, not hardcoded. This is just configuration (policy) you can define your own constraints, or modify existing ones.
-------Scott.