MLS dominance check behavior on el7

Mon, 10 Sep 2018 10:17:38 -0700 

We currently have code running on el6 that does a MLS dominance check by
calling security_compute_av_raw with the security object class
SECCLASS_CONTEXT with permission CONTEXT__CONTAINS as you can see in the
python code below. When I run this code on el6 s1 dominates s0 however when
I run the same code on el7 s1 does not dominate s0. On both systems the
file read dominance check works as expected. Can anyone help me understand
why the context contains check does not work the same on both systems?

Ted

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

import selinux

SECCLASS_CONTEXT = selinux.string_to_security_class("context")
CONTEXT__CONTAINS = selinux.string_to_av_perm(SECCLASS_CONTEXT, "contains")
SECCLASS_FILE = selinux.string_to_security_class("file")
FILE__READ = selinux.string_to_av_perm(SECCLASS_FILE, "read")

raw_con1 = "user_u:user_r:user_t:s1"
raw_con2 = "user_u:user_r:user_t:s0"

avd = selinux.av_decision()
selinux.avc_reset()
try:
    rc = selinux.security_compute_av_raw(raw_con1, raw_con2,
SECCLASS_CONTEXT, CONTEXT__CONTAINS, avd)
    if rc < 0:
        print("selinux.security_compute_av_raw failed for %s %s" %
(raw_con1, raw_con2))
    if (avd.allowed & CONTEXT__CONTAINS) == CONTEXT__CONTAINS:
        print("%s dominates %s" % (raw_con1, raw_con2))
    else:
        print("%s does not dominate %s" % (raw_con1, raw_con2))
except OSError, ex:
    print "exception calling selinux.security_compute_av_raw", ex

avd = selinux.av_decision()
selinux.avc_reset()
try:
    rc = selinux.security_compute_av_raw(raw_con1, raw_con2, SECCLASS_FILE,
FILE__READ, avd)
    if rc < 0:
        print("selinux.security_compute_av_raw failed for %s %s" %
(raw_con1, raw_con2))
    if (avd.allowed & FILE__READ) == FILE__READ:
        print("%s dominates %s" % (raw_con1, raw_con2))
    else:
        print("%s does not dominate %s" % (raw_con1, raw_con2))

except OSError:
    print "exception calling selinux.security_compute_av_raw", ex

_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to