From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Tue, 10 Feb 2009 12:34:39 -0600 From: "Serge E. Hallyn" To: Xavier Toth Cc: Stephen Smalley , SELinux List Subject: Re: problem with capabilities inheritance and auditing in python Message-ID: <20090210183438.GA14133@us.ibm.com> References: <1233857436.3181.40.camel@localhost.localdomain> <1234188170.28831.10.camel@localhost.localdomain> <1234210633.28831.87.camel@localhost.localdomain> <20090209204200.GA25401@us.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Quoting Xavier Toth (txtoth@gmail.com): > I was not putting capabilities on the script but rather on a compiled > wrapper which execs a python script in which I need to do auditing. > Will this not work? No, because of the way capabilities are re-calculated on exec(). pI' = pI pP' = (X&fP) | (pI & fI) pE' = fE ? pP' : 0 So since the interpreter has fI=fP=fE=0 and is not setuid root (which would fill in fP and/or fE to emulate privileged root), pP' and pE' will be empty after exec(). Now you could use a wrapper as follows: Have the wrapper fill pI, and then fill fI on the python interpreter. Any user who has an empty pI (which generally is all users) will execute python scripts with no privilege, but when the wrapper execs the script, pP' will be filled with (pI&fI) = full. -serge -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.