Re: SELinux and no capabilities

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Justin Mattock <justinmattock@gmail.com>
Cc: SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: SELinux and no capabilities
Date: Sat, 27 Jun 2009 13:54:54 -0500	[thread overview]
Message-ID: <20090627185454.GA15965@us.ibm.com> (raw)
In-Reply-To: <dd18b0c30906191402o12100191x10dac3abcfbbcb56@mail.gmail.com>

Quoting Justin Mattock (justinmattock@gmail.com):
> How dangerous is this:
> (using captest:)
> 
> Current capabilities: none
> Securebits flags NOROOT: 0, NOROOT_LOCKED: 0
> Attempting direct access to shadow...SUCCESS
> Attempting to access shadow by child process...SUCCESS
> Child capabilities: none
> Securebits flags NOROOT: 0, NOROOT_LOCKED: 0
> 
> I have security capability allowed
> libcap and libcap-ng installed as well.
> (The only thing I can think of, is the system is so small(1 gig)
> that there isn't much on, to turn on any capabilities)
> 
> I've refpolicy running with mcs, just a bit concerned when
> I see  Attempting direct access to shadow...SUCCESS
> (nice)

But you're running this as root, right?  And /etc/shadow
is owned by root.  The captest check is only for R_OK.
So this test would only fail if shadow were owned by
shadow or were chmoded 005.  Go ahead and try with one
of those settings...

(I think this is a forward-looking test.)

-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2009-06-27 18:54 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-06-19 21:02 SELinux and no capabilities Justin Mattock
2009-06-27 18:54 ` Serge E. Hallyn [this message]
2009-06-27 19:59   ` Justin P. Mattock

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090627185454.GA15965@us.ibm.com \
    --to=serue@us.ibm.com \
    --cc=justinmattock@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.