mls contraints on adding files to directories

I think that I'm misunderstanding the mls constraints on adding files to directories.

I thought that the following constraint would prevent adding a file at a higher security level than the directory, unless the domain of the writing process had been given the mlsfilewritetoclr attribute, or the directory type had been given the mlstrustedobject attribute:

mlsconstrain dir { add_name remove_name reparent rmdir } ((( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ( t1 == mlsfilewrite ) or ( t2 == mlstrustedobject ));

However, I can use runcon to create a file at a higher level than the directory. For example, I can do the following:

> runcon -l s3 touch /m2ds/import/datasources/inputBuffer/U/temp

> ls -Z /m2ds/import/datasources/inputBuffer/U/temp
-rw-r--r-- root root root:object_r:import_datasources_t:s3 /m2ds/import/datasources/inputBuffer/U/temp

> ls -dZ /m2ds/import/datasources/inputBuffer/U
drwxrwxr-x root m252 system_u:object_r:import_datasources_t:s1 /m2ds/import/datasources/inputBuffer/U

I'm able to do this with the policy in Enforcing mode.

So what is this mlsconstrain statement doing? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

• This message: [ Message body ]
• Next message: Stephen Smalley: "Re: mls contraints on adding files to directories"
• Previous message: Karl MacMillan: "[PATCH] Initial policyrep patch"
• Next in thread: Stephen Smalley: "Re: mls contraints on adding files to directories"
• Reply: Stephen Smalley: "Re: mls contraints on adding files to directories"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]