[redhat-lspp] mls constraint issue in the java_t domain
Paul Moore
paul.moore at hp.com
Wed May 30 16:45:08 UTC 2007
On Tuesday, May 29 2007 6:42:54 pm Clarkson, Mike R (US SSA) wrote:
> I agree that using newrole would likely avoid this issue by relabeling
> the the pty, but I'm really interested in understanding why providing
> the following two things doesn't satisfy the security monitor:
> allow java_t devpts_t:chr_file write;
> mls_file_write_down(java_t)
>
> I thought that because I have given the file write down privilege, I'd
> be able to write to the pty with a lower mls level. I'd like to be able
> to look at the audit log AVC messages and determine what rules are
> needed. I thought I was getting there, but this one has thrown me for a
> loop.
>
> Can anyone explain why the above two rules don't satisfy the security
> monitor with respect to the below AVC denial message?
Perhaps this is a stupid question, but do you still get the same AVC denial?
My experience has shown that it is not to uncommon to fix one denial only to
run into another, different denial.
Taking a quick look at the current MLS constraints and MLS reference policy
interfaces does back up the use the mls_file_write_down() interface as giving
the correct override for chr_file:write. What distro/policy are you using?
Is it possible that the MLS constraints/overrides are slightly different
(i.e. from an older snapshot of the reference policy)?
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list