fedora-selinux May 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: talking to mcstrans in MLS enforcing on rhel

Re: talking to mcstrans in MLS enforcing on rhel6 beta

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Tue May 11 2010 - 18:36:40 GMT
To: Xavier Toth <txtoth@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/11/2010 12:10 PM, Xavier Toth wrote:
> I'm a bit confused about something. mcstransd creates a socket and
> through a transition rule it get labeled setrans_var_run_t (this is
> also the type used with mls_trusted_object in the setrans policy)
> however when other apps try and connect to it the target context type
> is setrans_t which of course isn't trusted so no one can connect. As
> an experiment I added setrans_t as a mls trusted object and then other
> apps could connect. Not sure where the target context comes from on
> connectto because the socket file is label setrans_var_run_t on the
> disk. Something needs fixing just not sure what. Doesn't seem right to
> add 'mls_trusted_object(setrans_t)'.
>
> Ted
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Since connectto has a constraint on it, I think we need to add this also?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEUEARECAAYFAkvpo7gACgkQrlYvE4MpobOuugCYo2aC2+irPvhnzmLDzKwIfdQN
MQCfd+sRrhhUQKVrb8WQZ72CEaRAcHs=
=I0Lq
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux