From a4de622d53cd4b0a628942dd3c4e9a88e31f8512 Mon Sep 17 00:00:00 2001 From: bfeldkamp3 Date: Sat, 26 Jul 2025 10:31:25 -0400 Subject: [PATCH] fix: inaccuracy in SELinux policy evaluation example --- secure-computer-systems/09-selinux.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/secure-computer-systems/09-selinux.md b/secure-computer-systems/09-selinux.md index 4de25ed..476e310 100644 --- a/secure-computer-systems/09-selinux.md +++ b/secure-computer-systems/09-selinux.md @@ -205,7 +205,7 @@ Again, DAC is fine. **Commands for process #1**: -1. No access. `staff_t` does have read access to `home_t`. The effective sensitivity level of s0 is lower than s5, we fail MLS check. No access. +1. No access. `staff_t` has read access to `user_home_t` so it passes type enforcement (DTE), but the effective sensitivity level of s0 is lower than s5, so we fail MLS check. No access. 2. No access. Effective level is still s0 < s5. 3. No access. staff_t can execute the file of type `aide_exec_t` but staff_t has no transition to type aide_t, it will remain at the same type and have no permissions. If staff_t could transition to type aide_t then it would get the mlsfilereadtoclr and mlsfilewritetoclr attributes, allowing us to use the clearance level s15 instead of the effective level s0, this would allow access. @@ -213,4 +213,4 @@ Again, DAC is fine. 1. Allowed. Our **clearance** level is s15, which allows us to read something with sensitivity level s5. Notice that sysadm_t has both `mlsfilewritetoclr` and `mlsfilereadtoclr`. This means when reading and writing we can use the clearance level instead of the effective level. 2. Allowed. Again, clearance of s15 > s5. -3. Allowed. sysadm_t can execute the file of type `aide_exec_t` and transition to type `aide_t` which has `mlsfilewritetoclr` and `mlsfilereadtoclr`. Our clearance of s15 > s0. \ No newline at end of file +3. Allowed. sysadm_t can execute the file of type `aide_exec_t` and transition to type `aide_t` which has `mlsfilewritetoclr` and `mlsfilereadtoclr`. Our clearance of s15 > s0.