Re: blocking security xattr changes when policy is not loaded

[Thorsten Kukuk <kukuk@suse.de>]

On Wed, Mar 10, Stephen Smalley wrote:

> On Tue, 2004-03-09 at 17:29, Arkadiusz Miskiewicz wrote:
> > Hi,
> > 
> > The case is that 2.6 selinux enabled kernel but _without_ policy loaded do not 
> > allow to change security xattr for root user.
> > 
> > The question is why is that?
> 
> SELinux still performs its regular processing even without the policy
> load; it is just that any permission checks are allowed until a policy
> is loaded.  The setxattr() is not failing due to a permission check; it
> is failing because selinux_inode_setxattr() attempts to convert the
> context to a SID (via security_context_to_sid) in preparation for making
> permission checks, and the context is unknown to the security server
> (policy engine) because no policy has been loaded.  The security server
> can't just blindly accept contexts and provide SIDs; it needs to have an
> internal representation of the context that it can understand.
> 
> In any event, note is_selinux_enabled() should return 0 when no policy
> is loaded, so if the pwdutils code was bracketing SELinux-related
> processing with if (is_selinux_enabled() > 0), it wouldn't even try to
> do this.

But if you add this check, the security attributes will be missing
for the new file. I don't think that this is the expected behavior.

  Thorsten

-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Maxfeldstr. 5                 D-90409 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.