More specifically, I have users
Code: Select all
Login Name | SELinux User | MLS/MCS Range
john | mcsuser_u | s0-s0:c122
jane | mcsuser_u | s0-s0:c123
Code: Select all
mcsuser_u | MLS/MCS Level: s0 | MLS/MCS Range: s0-s0:c0.c1023 | SELinux Roles: user_r
Code: Select all
-rw-rw-r-- john john mcsuser_u:object_r:user_home_t:s0:c122 johntext
I would expect that user jane is unable to read the file since she is not member of the c122 category. However, running cat johntext as jane prints the contents of the file without problem. This indicates to me that MCS rules are not adhered to.
I tested the same setup on CentOS 6.9, where everything behaves as I would expect (i.e., invoking cat johntext as jane results in a permssion denied error).
Since I was unable to find documentation on a major change in policy/configuration regarding SELinux from version 6.9 to 7, I am somewhat confused by this. Am I making an obvious mistake or is this a bug?
I posted a more verbose version of this question already on serverfault.com, in case a more detailed listing of my steps is required: https://serverfault.com/questions/90157 ... categories