Hi Chris,
With help from Stephan Smalley I think we should take into consideration of a user's low MLS level for the constraint for the contains permission of the context class, so that mls_systemlow is no longer regarded contained in mls_systemhigh.
With the attached patch the compute_av command could yield expected result now:
[root/sysadm_r/s0 at QtCao ~]# compute_av root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:sysadm_r:sysadm_t:s0 context
allowed= { contains }
[root/sysadm_r/s0 at QtCao ~]#
[root/sysadm_r/s0 at QtCao ~]# compute_av root:sysadm_r:sysadm_t:s15:c0.c1023 root:sysadm_r:sysadm_t:s0 context
allowed= null
[root/sysadm_r/s0 at QtCao ~]#
Best regards,
Harry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110215/725be1db/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-l1-domby-l2-for-contains-MLS-constraint.patch
Type: text/x-patch
Size: 946 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110215/725be1db/attachment-0001.bin
On 02/14/11 21:40, HarryCiao wrote:
> Hi Chris,
>
> With help from Stephan Smalley I think we should take into consideration
> of a user's low MLS level for the constraint for the contains permission
> of the context class, so that mls_systemlow is no longer regarded
> contained in mls_systemhigh.
>
> With the attached patch the compute_av command could yield expected
> result now:
>
> [root/sysadm_r/s0 at QtCao ~]# compute_av
> root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:sysadm_r:sysadm_t:s0 context
> allowed= { contains }
> [root/sysadm_r/s0 at QtCao ~]#
> [root/sysadm_r/s0 at QtCao ~]# compute_av
> root:sysadm_r:sysadm_t:s15:c0.c1023 root:sysadm_r:sysadm_t:s0 context
> allowed= null
> [root/sysadm_r/s0 at QtCao ~]#
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com