Targeted/MCS feedback on F7

Bruno Wolff III bruno at wolff.to
Wed Jun 27 15:32:24 UTC 2007 

I played around a bit with using MCS under the targeted policy and wanted to
provide some feedback.

Adding labels for context levels doesn't seem to work quite right.
For example:
[root at cerberus ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=user_u:sysadm_r:unconfined_t
[root at cerberus ~]# semanage translation -a -T test1 s0:c1
/etc/init.d/functions: line 19: /sbin/consoletype: Permission denied
/etc/profile.d/lang.sh: line 49: /sbin/consoletype: Permission denied
basename: write error: Permission denied
basename: write error: Permission denied
env: /etc/init.d/mcstrans: Permission denied

I have to restart the mcstrans service to get the label names to show up.

Having the context type for new files include all of the labels is a pain.
While this is probably more safe from a forgetting to label a file
perspective, it ends up labelling a lot of files you aren't going to be
aware of. For example when I tried ending my experiment and took away access
to categories, I found that some of my gnome profile files had been labelled
with categories and I could no longer access them. I think some system updates
I did during the experiment also resulted in files being labelled with
categories as some of the gnome default files were inaccessible to me.

While trying to fix this I found that chcat doesn't seem to do recursive
labelling. While I could use find and xargs, a -r option would be nice.
However, instead of trying find and xargs I tried fixfiles instead. The
good and bad news is that fixfiles solved my immediate problem and the
files were relabelled without categories. However, that suggests that
if people are using MCS labelling and do a relabel of their system for
some reason, all of the category labels are going to be lost.

I think if I were going to use such a system, I would want to have a command
to set the default category labels to apply (and another to check what they
are set to). And I would want to make sure things like config files didn't
get labelled. Working at the shell level this wouldn't be a problem, but
if you are doing things from the desktop this would be harder to do.
Maybe there could be a new context for a user's config files and those wouldn't
get labelled the same as other files do by default.

More information about the fedora-selinux-list mailing list