On Sun, Feb 20, 2011 at 4:05 PM, Dominick Grift domg472@gmail.com wrote:
On 02/20/2011 09:47 PM, Scott Gifford wrote:
On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift domg472@gmail.com
wrote:
[ ... ]
from /policy/mcs:
# Note: # - getattr on dirs/files is not constrained. # - /proc/pid operations are not constrained.
so that explains the above
Ah, yes it does, thanks! I wonder if I can adjust this policy to get different behavior, or if it's hardcoded somewhere outside the policy?
No, not hardcoded. This is just configuration (policy) you can define your own constraints, or modify existing ones.
OK, I think I've got this. I removed the "or ( t2 == domain )" from these rules in policy/mcs:
- - mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl } - (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread )); - - mlsconstrain file { read } - (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
and I seem to be getting the behavior I want. Anybody see any risks or downsides to this?
For long-term maintenance, it looks like I can't override this in my own module, I will need to patch the base policy, maybe by adding another patch to the serefpolicy-2.4.6 RPM specfile and maintaining this by hand? Is there a better way to maintain customizations to the base policy?
I think I can automatically generate a unique category set from a PID by using two MCS categories to represent each bit of the PID, the first for a 0-bit and the second for a 1-bit. That will take 32 categories for a 16-bit PID, which seems reasonable.
Thanks for the help!
-----Scott.