From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 31 Aug 2016 18:46:10 -0400 Subject: [refpolicy] Enforcing MLS policy and rescue mode In-Reply-To: References: Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/31/16 07:09, Lukas Vrabec via refpolicy wrote: > Hi, > > I'm facing issue on RHEL7 with mls policy and enforcing state. System > not reacting after booting to rescue mode. Issue here is missing > transition rule where sulogin_t domain with s15:c0.c1023 trying to > transition to sysadm_t with s0-s15:c0.c1023. I don't think that we want > allow this. > > On the other hand question is, if enforced MLS policy is supported in > rescue mode? It should be supported, even if it doesn't work right now. I believe sulogin_t should probably have the same MLS range as local_login_t, as they're of equivalent MLS sensitivity. With that in place, the transition to sysadm_t should be allowed, regardless of the change of range. -- Chris PeBenito