From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 2 Feb 2012 10:23:13 -0500
Subject: [refpolicy] MLS file upgrade
In-Reply-To: <4F29E259.60205@nps.edu>
References: <4F29E259.60205@nps.edu>
Message-ID: <4F2AAA61.3090304@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/01/12 20:09, Paul Clark wrote:
> I want to change the MLS policy to allow any process to upgrade a file or directory, but I'm currently failing on an "easy" first step with a "relabelfrom" error.
> 
> I'm using Fedora 13 and selinux-policy-3.7.19-101.fc13.src.rpm.
> 
> I did *not* change the mlscontrain rule that deals with relabelfrom because I think it should still work.
> 
> My test file has the same type that chcon runs with (user_t), and I'm simply trying to change the level from s0 to s1 by doing the following:
>     chcon -l s1 testfile

Can you clarify this?  It sounds like you're saying that your file is labeled user_t.  If thats the case, then its a regular TE problem, as user_t isn't a file type, so you can't relabel it.

> I changed the mlsvalidatetrans statement for "dir" and "file" so that the first line was changed from
>     ((( l1 eq l2 ) or
> to
>     ((( l1 domby l2 ) or
> 
> Any obvious problems or suggestions?
> 
> Another approach would be to also give all domains the "mlsfileupgrade" attribute.  Because my test process was running with user_t, I added:
>     mls_file_upgrade(user_t)
> to modules/admin/usermanage.te, but there was no change in the error.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com