From: lvrabec@redhat.com (Lukas Vrabec) Date: Fri, 2 Sep 2016 10:43:50 +0200 Subject: [refpolicy] Enforcing MLS policy and rescue mode In-Reply-To: References: Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/01/2016 12:46 AM, Chris PeBenito wrote: > On 08/31/16 07:09, Lukas Vrabec via refpolicy wrote: >> Hi, >> >> I'm facing issue on RHEL7 with mls policy and enforcing state. System >> not reacting after booting to rescue mode. Issue here is missing >> transition rule where sulogin_t domain with s15:c0.c1023 trying to >> transition to sysadm_t with s0-s15:c0.c1023. I don't think that we want >> allow this. >> >> On the other hand question is, if enforced MLS policy is supported in >> rescue mode? > > It should be supported, even if it doesn't work right now. I believe > sulogin_t should probably have the same MLS range as local_login_t, as > they're of equivalent MLS sensitivity. With that in place, the > transition to sysadm_t should be allowed, regardless of the change of > range. > Hi Chris, I change MLS range to sulogin_t same as local_login_t and rescue mode start working. Thank you for help! Lukas. -- Lukas Vrabec SELinux Solutions Red Hat, Inc.