-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2011 05:59 PM, Dominick Grift wrote:
> On 02/20/2011 06:31 AM, Scott Gifford wrote:

[ ... ]

>> OK, so I have started experimenting with this, but /proc is not behaving how
>> I expect so far.
>
>> So I open up two shells. In the first I run:
>
>> runcon -l s0-s0:c0,c1 bash
>
>
>> and in the second:
>
>> runcon -l s0-s0:c0,c2 bash
>
>
>> So both should have access to c1, but only the first will have access to c1
>> and only the second will have access to c2.

Above I meant to say "both should have access to c0".

[ ... ]

>> shell1$ *id -Z*
>> user_u:system_r:unconfined_t:-s0:c0,c1
>> shell1$ *ls -lZ /proc/10961/maps*
>> -r--r--r-- sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2
>> /proc/10961/maps
>> shell1$ *head -1 /proc/10961/maps*
>> 002ac000-002ad000 r-xp 002ac000 00:00 0 [vdso]
>
> from /policy/mcs:
>
> # Note:
> # - getattr on dirs/files is not constrained.
> # - /proc/pid operations are not constrained.
>
> so that explains the above

Ah, yes it does, thanks! I wonder if I can adjust this policy to get different behavior, or if it's hardcoded somewhere outside the policy?

-------Scott.