We currently have code running on el6 that does a MLS dominance check by calling security_compute_av_raw with the security object class SECCLASS_CONTEXT with permission CONTEXT__CONTAINS as you can see in the python code below. When I run this code on el6 s1 dominates s0 however when I run the same code on el7 s1 does not dominate s0. On both systems the file read dominance check works as expected. Can anyone help me understand why the context contains check does not work the same on both systems?

Ted

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

import selinux

SECCLASS_CONTEXT = selinux.string_to_security_class("context")

CONTEXT__CONTAINS = selinux.string_to_av_perm(SECCLASS_CONTEXT, "contains")

SECCLASS_FILE = selinux.string_to_security_class("file")

FILE__READ = selinux.string_to_av_perm(SECCLASS_FILE, "read")

raw_con1 = "user_u:user_r:user_t:s1"

raw_con2 = "user_u:user_r:user_t:s0"

avd = selinux.av_decision()

selinux.avc_reset()

try:

rc = selinux.security_compute_av_raw(raw_con1, raw_con2, SECCLASS_CONTEXT, CONTEXT__CONTAINS, avd)

if rc < 0:

print("selinux.security_compute_av_raw failed for %s %s" % (raw_con1, raw_con2))

if (avd.allowed & CONTEXT__CONTAINS) == CONTEXT__CONTAINS:

print("%s dominates %s" % (raw_con1, raw_con2))

else:

print("%s does not dominate %s" % (raw_con1, raw_con2))

except OSError, ex:

print "exception calling selinux.security_compute_av_raw", ex

avd = selinux.av_decision()

selinux.avc_reset()

try:

rc = selinux.security_compute_av_raw(raw_con1, raw_con2, SECCLASS_FILE, FILE__READ, avd)

if rc < 0:

print("selinux.security_compute_av_raw failed for %s %s" % (raw_con1, raw_con2))