Understood, thanks.
On Mon, Sep 10, 2018 at 12:46 PM Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/10/2018 01:13 PM, Ted Toth wrote:
> > We currently have code running on el6 that does a MLS dominance check by
> > calling security_compute_av_raw with the security object class
> > SECCLASS_CONTEXT with permission CONTEXT__CONTAINS as you can see in the
> > python code below. When I run this code on el6 s1 dominates s0 however
> > when I run the same code on el7 s1 does not dominate s0. On both systems
> > the file read dominance check works as expected. Can anyone help me
> > understand why the context contains check does not work the same on both
> > systems?
>
> That would depend entirely on how the constraint is written in the
> policy. I assume this is with the -mls policy on both? seinfo
> --constrain | grep -C1 context would show you the constraint in the
> kernel policy.
>
> Looks like refpolicy defines it as:
> mlsconstrain context contains
> (( h1 dom h2 ) and ( l1 domby l2));
>
> The 2nd part of the constraint was introduced by:
> commit 4c365f4a6a6f933dd13b0127e03f832c6a6cf8fc
> Author: Harry Ciao <qingtao....@windriver.com>
> Date: Tue Feb 15 10:16:32 2011 +0800
>
> l1 domby l2 for contains MLS constraint
>
> As identified by Stephan Smalley, the current MLS constraint for the
> contains permission of the context class should consider the current
> level of a user along with the clearance level so that mls_systemlow
> is no longer considered contained in mls_systemhigh.
>
> Signed-off-by: Harry Ciao <qingtao....@windriver.com>
>
> This was to prevent a user from logging in at a level below their
> authorized range, in the unusual scenario where the user's low level was
> not s0/systemlow.
>
> >
> > Ted
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> >
> > import selinux
> >
> > SECCLASS_CONTEXT = selinux.string_to_security_class("context")
> > CONTEXT__CONTAINS = selinux.string_to_av_perm(SECCLASS_CONTEXT,
> "contains")
> > SECCLASS_FILE = selinux.string_to_security_class("file")
> > FILE__READ = selinux.string_to_av_perm(SECCLASS_FILE, "read")
> >
> > raw_con1 = "user_u:user_r:user_t:s1"
> > raw_con2 = "user_u:user_r:user_t:s0"
> >
> > avd = selinux.av_decision()
> > selinux.avc_reset()
> > try:
> > rc = selinux.security_compute_av_raw(raw_con1, raw_con2,
> > SECCLASS_CONTEXT, CONTEXT__CONTAINS, avd)
> > if rc < 0:
> > print("selinux.security_compute_av_raw failed for %s %s" %
> > (raw_con1, raw_con2))
> > if (avd.allowed & CONTEXT__CONTAINS) == CONTEXT__CONTAINS:
> > print("%s dominates %s" % (raw_con1, raw_con2))
> > else:
> > print("%s does not dominate %s" % (raw_con1, raw_con2))
> > except OSError, ex:
> > print "exception calling selinux.security_compute_av_raw", ex
> >
> > avd = selinux.av_decision()
> > selinux.avc_reset()
> > try:
> > rc = selinux.security_compute_av_raw(raw_con1, raw_con2,
> > SECCLASS_FILE, FILE__READ, avd)
> > if rc < 0:
> > print("selinux.security_compute_av_raw failed for %s %s" %
> > (raw_con1, raw_con2))
> > if (avd.allowed & FILE__READ) == FILE__READ:
> > print("%s dominates %s" % (raw_con1, raw_con2))
> > else:
> > print("%s does not dominate %s" % (raw_con1, raw_con2))
> >
> > except OSError:
> > print "exception calling selinux.security_compute_av_raw", ex
> >
> >
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
> >
>
>
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
