Dear All,
After switching on SELinux in MLS enforcing mode, I'd like to know how the
slogan of "no read up, no write
down" works.
I created some text files with the following descriptions
TestFile_S0 system_u:object_r:usr_t:s0
TestFile_S0C2 system_u:object_r:usr_t:s0:c2
TestFile_S1 system_u:object_r:usr_t:s1
TestFile_S2 system_u:object_r:usr_t:s2
TestFile_S2C11 system_u:object_r:usr_t:s2:c11
TestFile_S2C5 system_u:object_r:usr_t:s2:c5
TestFile_S3 system_u:object_r:usr_t:s3
TestFile_S3C14 system_u:object_r:usr_t:s3:c14
TestFile_S3C5 system_u:object_r:usr_t:s3:c5
After creating these text file, I went to create users having different
security clearance;
The clearance of each created user is listed bellow:
*Login Name SELinux User Role MLS/MCS Range*
first x_first xguest_r s0
second x_second sysadm_r s3-s3:c5.c15
third x_third sysadm_r
s1:c3.c15-s3:c5.c10
forth x_forth system_r
s1-s1:c0.c10
root root system_r
s0-s15:c0.c1023
having the clearance delegated for each user I expect user first have read
write access to TestFile_S0 and just
write access to all other files; user second have read access to files such
as TestFile_S0, TestFile_S0C2,
TestFile_S2, TestFile_S2C5, TestFile_S2C11 and only write access to
TestFile_S3, TestFile_S3C14.
when I switch to MLS enforcing mode I see something else.
These users have no permission to write to files they expect they have write
access to.
I'd like to know the where this problem originates
Moreover when user first wants to take a list of the directory contents only
TestFile_S0, TestFile_S1,
TestFile_S2 are listed not else; user second sees TestFile_S0, TestFile_S1,
TestFile2, TestFile3; users
third and root sees all files; user forth sees just TestFile_S0 not more.
I don't know why such lists are taken when I'd like to take a list.
Any comment is wellcome
Best Regards