From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 31 Aug 2016 18:46:10 -0400
Subject: [refpolicy] Enforcing MLS policy and rescue mode
In-Reply-To: <e8c501bb-67dc-758f-e2ab-ca44fdf2ccc0@redhat.com>
References: <e8c501bb-67dc-758f-e2ab-ca44fdf2ccc0@redhat.com>
Message-ID: <a518a079-243c-2efb-0f55-16e1fd5af273@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/31/16 07:09, Lukas Vrabec via refpolicy wrote:
> Hi,
>
> I'm facing issue on RHEL7 with mls policy and enforcing state. System
> not reacting after booting to rescue mode. Issue here is missing
> transition rule where sulogin_t domain with s15:c0.c1023 trying to
> transition to sysadm_t with s0-s15:c0.c1023. I don't think that we want
> allow this.
>
> On the other hand question is, if enforced MLS policy is supported in
> rescue mode?

It should be supported, even if it doesn't work right now.  I believe 
sulogin_t should probably have the same MLS range as local_login_t, as 
they're of equivalent MLS sensitivity.  With that in place, the 
transition to sysadm_t should be allowed, regardless of the change of range.

-- 
Chris PeBenito