From: Petr Lautrbach <plautrba@redhat.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH 01/19] policycoreutils/sepolicy: Add documentation for MCS separated domains
Date: Wed, 3 May 2017 12:30:18 +0200 [thread overview]
Message-ID: <20170503103036.17514-2-plautrba@redhat.com> (raw)
In-Reply-To: <20170503103036.17514-1-plautrba@redhat.com>
From: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/sepolicy/sepolicy/manpage.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 1af4295c..3ebdfeb7 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -504,6 +504,7 @@ class ManPage:
self._booleans()
self._port_types()
+ self._mcs_types()
self._writes()
self._footer()
@@ -527,6 +528,7 @@ class ManPage:
self._header()
self._entrypoints()
self._process_types()
+ self._mcs_types()
self._booleans()
self._nsswitch_domain()
self._port_types()
@@ -923,6 +925,17 @@ All executeables with the default executable label, usually stored in /usr/bin a
self.fd.write("""
%s""" % ", ".join(paths))
+ def _mcs_types(self):
+ attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+ if "mcs_constrained_type" not in attributes:
+ return
+ self.fd.write ("""
+.SH "MCS Constrained"
+The SELinux process type %(type)s_t is an MCS (Multi Category Security) constrained type. Sometimes this separation is referred to as sVirt. These types are usually used for securing multi-tenant environments, such as virtualization, containers or separation of users. The tools used to launch MCS types, pick out a different MCS label for each process group.
+
+For example one process might be launched with %(type)s_t:s0:c1,c2, and another process launched with %(type)s_t:s0:c3,c4. The SELinux kernel only allows these processes can only write to content with a matching MCS label, or a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not allowed to write to content with the MCS label of s0:c3,c4
+""" % {'type': self.domainname})
+
def _writes(self):
permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'})
if permlist is None or len(permlist) == 0:
--
2.12.2
next prev parent reply other threads:[~2017-05-03 10:30 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
2017-05-03 10:30 ` Petr Lautrbach [this message]
2017-05-03 10:30 ` [PATCH 02/19] sepolicy: Fix spelling mistakes in commands in generated manpages Petr Lautrbach
2017-05-03 10:30 ` [PATCH 03/19] sepolicy: Add manpages for typealiased types Petr Lautrbach
2017-05-03 10:30 ` [PATCH 04/19] sepolicy: Move svirt man page out of libvirt into its own Petr Lautrbach
2017-05-03 10:30 ` [PATCH 05/19] policycoreutils/sepolicy: boolean.png is in help/ Petr Lautrbach
2017-05-03 10:30 ` [PATCH 06/19] Fix up generation of application policy Petr Lautrbach
2017-05-03 10:30 ` [PATCH 07/19] sepolicy: ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin Petr Lautrbach
2017-05-03 10:30 ` [PATCH 08/19] sepolicy: We should be creating _exec interfaces when we create the domtrans interface Petr Lautrbach
2017-05-03 10:30 ` [PATCH 09/19] Fix typo in executable.py template Petr Lautrbach
2017-05-03 10:30 ` [PATCH 10/19] sepolicy: Adapt to new the semodule list output Petr Lautrbach
2017-05-03 10:30 ` [PATCH 11/19] sepolicy: Don't return filter(), use [ ] notation instead Petr Lautrbach
2017-05-03 10:30 ` [PATCH 12/19] sepolicy: Simplify policy types detection Petr Lautrbach
2017-05-03 10:30 ` [PATCH 13/19] sepolicy/generate.py: Fix string formatting Petr Lautrbach
2017-05-03 10:30 ` [PATCH 14/19] policycoreutils/sepolicy: Define our own cmp() Petr Lautrbach
2017-05-03 10:30 ` [PATCH 15/19] dbus: Use text streams in selinux_server.py Petr Lautrbach
2017-05-03 10:30 ` [PATCH 16/19] sepolicy: setools.*Query wants a list in ruletype Petr Lautrbach
2017-05-03 10:30 ` [PATCH 17/19] sepolicy: Fix several issues in 'sepolicy manpage -a' Petr Lautrbach
2017-05-03 10:30 ` [PATCH 18/19] sepolicy: info() should provide attributes for a TYPE Petr Lautrbach
2017-05-03 10:30 ` [PATCH 19/19] sepolicy/gui: Update text strings to use better gettext templates Petr Lautrbach
2017-05-05 17:06 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170503103036.17514-2-plautrba@redhat.com \
--to=plautrba@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.