On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift domg472@gmail.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2011 05:59 PM, Dominick Grift wrote:
On 02/20/2011 06:31 AM, Scott Gifford wrote:
[ ... ]
OK, so I have started experimenting with this, but /proc is not behaving
how
I expect so far.
So I open up two shells. In the first I run:
runcon -l s0-s0:c0,c1 bash
and in the second:
runcon -l s0-s0:c0,c2 bash
So both should have access to c1, but only the first will have access to
c1
and only the second will have access to c2.
Above I meant to say "both should have access to c0". [ ... ]
shell1$ *id -Z* user_u:system_r:unconfined_t:-s0:c0,c1 shell1$ *ls -lZ /proc/10961/maps* -r--r--r-- sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2 /proc/10961/maps shell1$ *head -1 /proc/10961/maps* 002ac000-002ad000 r-xp 002ac000 00:00 0 [vdso]
from /policy/mcs:
# Note: # - getattr on dirs/files is not constrained. # - /proc/pid operations are not constrained.
so that explains the above
Ah, yes it does, thanks! I wonder if I can adjust this policy to get different behavior, or if it's hardcoded somewhere outside the policy?
-------Scott.