Re: SELinux and no capabilities

["Justin P. Mattock" <justinmattock@gmail.com>]

Serge E. Hallyn wrote:
> Quoting Justin Mattock (justinmattock@gmail.com):
>    
>> How dangerous is this:
>> (using captest:)
>>
>> Current capabilities: none
>> Securebits flags NOROOT: 0, NOROOT_LOCKED: 0
>> Attempting direct access to shadow...SUCCESS
>> Attempting to access shadow by child process...SUCCESS
>> Child capabilities: none
>> Securebits flags NOROOT: 0, NOROOT_LOCKED: 0
>>
>> I have security capability allowed
>> libcap and libcap-ng installed as well.
>> (The only thing I can think of, is the system is so small(1 gig)
>> that there isn't much on, to turn on any capabilities)
>>
>> I've refpolicy running with mcs, just a bit concerned when
>> I see  Attempting direct access to shadow...SUCCESS
>> (nice)
>>      
>
> But you're running this as root, right?  And /etc/shadow
> is owned by root.  The captest check is only for R_OK.
> So this test would only fail if shadow were owned by
> shadow or were chmoded 005.  Go ahead and try with one
> of those settings...
>
> (I think this is a forward-looking test.)
>
> -serge
>
>    
I cant remember If I used sudo to run this test
doing ls -lZ shows this:
-rw-r--r--.  1 root shadow system_u:object_r:shadow_t:s0              0 
May 20 22:55 shadow
(I have root:shadow as the groups!)
I think it's o.k.
As for any avc generated by a capability, non so far
(when I built a bigger system a while back
I remember avc capabilities
being generated, but that was for a bigger system with all
of the gnome libs etc...)

seems a smaller system built around the latest policy make more sense to
me(makes thing less complicated.)

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.