Re: MLS dominance check behavior on el7

2018-10-08 Thread Chad Hanson
On Fri, Oct 05, 2018 at 04:05:13PM -0400, Chris PeBenito wrote: > On 10/04/2018 05:01 PM, Stephen Smalley wrote: > >On 09/30/2018 10:43 AM, Chris PeBenito wrote: > >>On 09/11/2018 04:20 PM, Stephen Smalley wrote: > >>>On 09/11/2018 03:04 PM, Joe Nall wrote: > >On Sep 11, 2018, at 1:29 PM,

Re: MLS dominance check behavior on el7

2018-10-05 Thread Chris PeBenito
On 10/04/2018 05:01 PM, Stephen Smalley wrote: On 09/30/2018 10:43 AM, Chris PeBenito wrote: On 09/11/2018 04:20 PM, Stephen Smalley wrote: On 09/11/2018 03:04 PM, Joe Nall wrote: On Sep 11, 2018, at 1:29 PM, Stephen Smalley On 09/11/2018 10:41 AM, Stephen Smalley wrote: On 09/10/2018 06:30

Re: MLS dominance check behavior on el7

2018-10-04 Thread Stephen Smalley
On 09/30/2018 10:43 AM, Chris PeBenito wrote: On 09/11/2018 04:20 PM, Stephen Smalley wrote: On 09/11/2018 03:04 PM, Joe Nall wrote: On Sep 11, 2018, at 1:29 PM, Stephen Smalley wrote: On 09/11/2018 10:41 AM, Stephen Smalley wrote: On 09/10/2018 06:30 PM, Ted Toth wrote: mcstrans

Re: MLS dominance check behavior on el7

2018-09-30 Thread Chris PeBenito
On 09/11/2018 04:20 PM, Stephen Smalley wrote: On 09/11/2018 03:04 PM, Joe Nall wrote: On Sep 11, 2018, at 1:29 PM, Stephen Smalley wrote: On 09/11/2018 10:41 AM, Stephen Smalley wrote: On 09/10/2018 06:30 PM, Ted Toth wrote: mcstrans mcscolor.c also uses the same logic I'd been using to

Re: MLS dominance check behavior on el7

2018-09-15 Thread Dominick Grift
On Fri, Sep 14, 2018 at 04:18:29PM -0500, Ted Toth wrote: > On Wed, Sep 12, 2018 at 9:57 AM Ted Toth wrote: > > > > > > > On Wed, Sep 12, 2018 at 9:36 AM Dominick Grift > > wrote: > > > >> On Wed, Sep 12, 2018 at 09:57:20AM -0400, Stephen Smalley wrote: > >> > On 09/12/2018 09:26 AM, Ted Toth

Re: MLS dominance check behavior on el7

2018-09-14 Thread Ted Toth
On Wed, Sep 12, 2018 at 9:57 AM Ted Toth wrote: > > > On Wed, Sep 12, 2018 at 9:36 AM Dominick Grift > wrote: > >> On Wed, Sep 12, 2018 at 09:57:20AM -0400, Stephen Smalley wrote: >> > On 09/12/2018 09:26 AM, Ted Toth wrote: >> > > >> > > >> > > On Wed, Sep 12, 2018 at 8:04 AM Stephen Smalley >

Re: MLS dominance check behavior on el7

2018-09-12 Thread Ted Toth
On Wed, Sep 12, 2018 at 9:36 AM Dominick Grift wrote: > On Wed, Sep 12, 2018 at 09:57:20AM -0400, Stephen Smalley wrote: > > On 09/12/2018 09:26 AM, Ted Toth wrote: > > > > > > > > > On Wed, Sep 12, 2018 at 8:04 AM Stephen Smalley > > > wrote: > > > > > > On

Re: MLS dominance check behavior on el7

2018-09-12 Thread Dominick Grift
On Wed, Sep 12, 2018 at 09:57:20AM -0400, Stephen Smalley wrote: > On 09/12/2018 09:26 AM, Ted Toth wrote: > > > > > > On Wed, Sep 12, 2018 at 8:04 AM Stephen Smalley > > wrote: > > > > On 09/11/2018 04:59 PM, Ted Toth wrote: > > > That's awesome and now

Re: MLS dominance check behavior on el7

2018-09-12 Thread Ted Toth
On Wed, Sep 12, 2018 at 8:04 AM Stephen Smalley wrote: > On 09/11/2018 04:59 PM, Ted Toth wrote: > > That's awesome and now it's got me thinking about other > > classes/permissions that we could implement. Can cil macros can be > > referenced in .te/.if files? > > Not sure I understand your

Re: MLS dominance check behavior on el7

2018-09-12 Thread Stephen Smalley
On 09/11/2018 04:59 PM, Ted Toth wrote: That's awesome and now it's got me thinking about other classes/permissions that we could implement. Can cil macros can be referenced in .te/.if files? Not sure I understand your question. You can't directly embed cil statements in .te/.if files.

Re: MLS dominance check behavior on el7

2018-09-11 Thread Ted Toth
That's awesome and now it's got me thinking about other classes/permissions that we could implement. Can cil macros can be referenced in .te/.if files? On Tue, Sep 11, 2018 at 2:27 PM Stephen Smalley wrote: > On 09/11/2018 02:49 PM, Ted Toth wrote: > > Yes I too noticed the translate

Re: MLS dominance check behavior on el7

2018-09-11 Thread Stephen Smalley
On 09/11/2018 03:04 PM, Joe Nall wrote: On Sep 11, 2018, at 1:29 PM, Stephen Smalley wrote: On 09/11/2018 10:41 AM, Stephen Smalley wrote: On 09/10/2018 06:30 PM, Ted Toth wrote: mcstrans mcscolor.c also uses the same logic I'd been using to check dominance so this too will no longer

Re: MLS dominance check behavior on el7

2018-09-11 Thread Stephen Smalley
On 09/11/2018 03:29 PM, Stephen Smalley wrote: On 09/11/2018 02:49 PM, Ted Toth wrote: Yes I too noticed the translate permission but couldn't find any info related to it intended purpose. Regarding CIL unfortunately I have zero experience with it but I've installed the compiler and started

Re: MLS dominance check behavior on el7

2018-09-11 Thread Stephen Smalley
On 09/11/2018 02:49 PM, Ted Toth wrote: Yes I too noticed the translate permission but couldn't find any info related to it intended purpose. Regarding CIL unfortunately I have zero experience with it but I've installed the compiler and started reading through

Re: MLS dominance check behavior on el7

2018-09-11 Thread Joe Nall
> On Sep 11, 2018, at 1:29 PM, Stephen Smalley wrote: > > On 09/11/2018 10:41 AM, Stephen Smalley wrote: >> On 09/10/2018 06:30 PM, Ted Toth wrote: >>> mcstrans mcscolor.c also uses the same logic I'd been using to check >>> dominance so this too will no longer function as expected on el7.

Re: MLS dominance check behavior on el7

2018-09-11 Thread Yuli Khodorkovskiy
The selinux repo has more up to date and digestible documentation: https://github.com/SELinuxProject/selinux/tree/master/secilc/docs > On Sep 11, 2018, at 2:49 PM, Ted Toth wrote: > > Yes I too noticed the translate permission but couldn't find any info related > to it intended purpose.

Re: MLS dominance check behavior on el7

2018-09-11 Thread Ted Toth
Yes I too noticed the translate permission but couldn't find any info related to it intended purpose. Regarding CIL unfortunately I have zero experience with it but I've installed the compiler and started reading through https://github.com/SELinuxProject/cil/wiki (any other pointers to useful info

Re: MLS dominance check behavior on el7

2018-09-11 Thread Stephen Smalley
On 09/11/2018 10:41 AM, Stephen Smalley wrote: On 09/10/2018 06:30 PM, Ted Toth wrote: mcstrans mcscolor.c also uses the same logic I'd been using to check dominance so this too will no longer function as expected on el7. Do you any suggestions for doing a 'generic' (one not tied to a specific

Re: MLS dominance check behavior on el7

2018-09-11 Thread Stephen Smalley
On 09/11/2018 01:39 PM, Joshua Brindle wrote: On Tue, Sep 11, 2018 at 1:33 PM, Stephen Smalley wrote: On 09/11/2018 12:53 PM, Joshua Brindle wrote: On Tue, Sep 11, 2018 at 10:41 AM, Stephen Smalley wrote: On 09/10/2018 06:30 PM, Ted Toth wrote: mcstrans mcscolor.c also uses the same

Re: MLS dominance check behavior on el7

2018-09-11 Thread Joshua Brindle
On Tue, Sep 11, 2018 at 1:33 PM, Stephen Smalley wrote: > On 09/11/2018 12:53 PM, Joshua Brindle wrote: >> >> On Tue, Sep 11, 2018 at 10:41 AM, Stephen Smalley >> wrote: >>> >>> On 09/10/2018 06:30 PM, Ted Toth wrote: mcstrans mcscolor.c also uses the same logic I'd been using to

Re: MLS dominance check behavior on el7

2018-09-11 Thread Stephen Smalley
On 09/11/2018 12:53 PM, Joshua Brindle wrote: On Tue, Sep 11, 2018 at 10:41 AM, Stephen Smalley wrote: On 09/10/2018 06:30 PM, Ted Toth wrote: mcstrans mcscolor.c also uses the same logic I'd been using to check dominance so this too will no longer function as expected on el7. Do you any

Re: MLS dominance check behavior on el7

2018-09-11 Thread Joshua Brindle
On Tue, Sep 11, 2018 at 10:41 AM, Stephen Smalley wrote: > On 09/10/2018 06:30 PM, Ted Toth wrote: >> >> mcstrans mcscolor.c also uses the same logic I'd been using to check >> dominance so this too will no longer function as expected on el7. Do you any >> suggestions for doing a 'generic' (one

Re: MLS dominance check behavior on el7

2018-09-11 Thread Stephen Smalley
On 09/10/2018 06:30 PM, Ted Toth wrote: mcstrans mcscolor.c also uses the same logic I'd been using to check dominance so this too will no longer function as expected on el7. Do you any suggestions for doing a 'generic' (one not tied to a specific resource class) dominance check in lieu of

Re: MLS dominance check behavior on el7

2018-09-10 Thread Ted Toth
mcstrans mcscolor.c also uses the same logic I'd been using to check dominance so this too will no longer function as expected on el7. Do you any suggestions for doing a 'generic' (one not tied to a specific resource class) dominance check in lieu of context contains? Ted On Mon, Sep 10, 2018 at

Re: MLS dominance check behavior on el7

2018-09-10 Thread Ted Toth
Understood, thanks. On Mon, Sep 10, 2018 at 12:46 PM Stephen Smalley wrote: > On 09/10/2018 01:13 PM, Ted Toth wrote: > > We currently have code running on el6 that does a MLS dominance check by > > calling security_compute_av_raw with the security object class > > SECCLASS_CONTEXT with

Re: MLS dominance check behavior on el7

2018-09-10 Thread Stephen Smalley
On 09/10/2018 01:13 PM, Ted Toth wrote: We currently have code running on el6 that does a MLS dominance check by calling security_compute_av_raw with the security object class SECCLASS_CONTEXT with permission CONTEXT__CONTAINS as you can see in the python code below. When I run this code on