SELinux and no capabilities

SELinux and no capabilities

[Justin Mattock]

How dangerous is this:
(using captest:)

Current capabilities: none
Securebits flags NOROOT: 0, NOROOT_LOCKED: 0
Attempting direct access to shadow...SUCCESS
Attempting to access shadow by child process...SUCCESS
Child capabilities: none
Securebits flags NOROOT: 0, NOROOT_LOCKED: 0

I have security capability allowed
libcap and libcap-ng installed as well.
(The only thing I can think of, is the system is so small(1 gig)
that there isn't much on, to turn on any capabilities)

I've refpolicy running with mcs, just a bit concerned when
I see  Attempting direct access to shadow...SUCCESS
(nice)

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and no capabilities

[Serge E. Hallyn]

Quoting Justin Mattock (justinmattock@gmail.com):
> How dangerous is this:
> (using captest:)
> 
> Current capabilities: none
> Securebits flags NOROOT: 0, NOROOT_LOCKED: 0
> Attempting direct access to shadow...SUCCESS
> Attempting to access shadow by child process...SUCCESS
> Child capabilities: none
> Securebits flags NOROOT: 0, NOROOT_LOCKED: 0
> 
> I have security capability allowed
> libcap and libcap-ng installed as well.
> (The only thing I can think of, is the system is so small(1 gig)
> that there isn't much on, to turn on any capabilities)
> 
> I've refpolicy running with mcs, just a bit concerned when
> I see  Attempting direct access to shadow...SUCCESS
> (nice)

But you're running this as root, right?  And /etc/shadow
is owned by root.  The captest check is only for R_OK.
So this test would only fail if shadow were owned by
shadow or were chmoded 005.  Go ahead and try with one
of those settings...

(I think this is a forward-looking test.)

-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and no capabilities

[Justin P. Mattock]

Serge E. Hallyn wrote:
> Quoting Justin Mattock (justinmattock@gmail.com):
>    
>> How dangerous is this:
>> (using captest:)
>>
>> Current capabilities: none
>> Securebits flags NOROOT: 0, NOROOT_LOCKED: 0
>> Attempting direct access to shadow...SUCCESS
>> Attempting to access shadow by child process...SUCCESS
>> Child capabilities: none
>> Securebits flags NOROOT: 0, NOROOT_LOCKED: 0
>>
>> I have security capability allowed
>> libcap and libcap-ng installed as well.
>> (The only thing I can think of, is the system is so small(1 gig)
>> that there isn't much on, to turn on any capabilities)
>>
>> I've refpolicy running with mcs, just a bit concerned when
>> I see  Attempting direct access to shadow...SUCCESS
>> (nice)
>>      
>
> But you're running this as root, right?  And /etc/shadow
> is owned by root.  The captest check is only for R_OK.
> So this test would only fail if shadow were owned by
> shadow or were chmoded 005.  Go ahead and try with one
> of those settings...
>
> (I think this is a forward-looking test.)
>
> -serge
>
>    
I cant remember If I used sudo to run this test
doing ls -lZ shows this:
-rw-r--r--.  1 root shadow system_u:object_r:shadow_t:s0              0 
May 20 22:55 shadow
(I have root:shadow as the groups!)
I think it's o.k.
As for any avc generated by a capability, non so far
(when I built a bigger system a while back
I remember avc capabilities
being generated, but that was for a bigger system with all
of the gnome libs etc...)

seems a smaller system built around the latest policy make more sense to
me(makes thing less complicated.)

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.