From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from msux-gh1-uea02.nsa.gov (msux-gh1-uea02.nsa.gov [63.239.67.2]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id n5RJwmDM020632 for ; Sat, 27 Jun 2009 15:58:48 -0400 Received: from rv-out-0708.google.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id n5RJxLpb020226 for ; Sat, 27 Jun 2009 19:59:21 GMT Received: by rv-out-0708.google.com with SMTP id c5so477194rvf.54 for ; Sat, 27 Jun 2009 12:58:46 -0700 (PDT) Message-ID: <4A467A34.1070401@gmail.com> Date: Sat, 27 Jun 2009 12:59:48 -0700 From: "Justin P. Mattock" MIME-Version: 1.0 To: "Serge E. Hallyn" CC: SE-Linux Subject: Re: SELinux and no capabilities References: <20090627185454.GA15965@us.ibm.com> In-Reply-To: <20090627185454.GA15965@us.ibm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Serge E. Hallyn wrote: > Quoting Justin Mattock (justinmattock@gmail.com): > >> How dangerous is this: >> (using captest:) >> >> Current capabilities: none >> Securebits flags NOROOT: 0, NOROOT_LOCKED: 0 >> Attempting direct access to shadow...SUCCESS >> Attempting to access shadow by child process...SUCCESS >> Child capabilities: none >> Securebits flags NOROOT: 0, NOROOT_LOCKED: 0 >> >> I have security capability allowed >> libcap and libcap-ng installed as well. >> (The only thing I can think of, is the system is so small(1 gig) >> that there isn't much on, to turn on any capabilities) >> >> I've refpolicy running with mcs, just a bit concerned when >> I see Attempting direct access to shadow...SUCCESS >> (nice) >> > > But you're running this as root, right? And /etc/shadow > is owned by root. The captest check is only for R_OK. > So this test would only fail if shadow were owned by > shadow or were chmoded 005. Go ahead and try with one > of those settings... > > (I think this is a forward-looking test.) > > -serge > > I cant remember If I used sudo to run this test doing ls -lZ shows this: -rw-r--r--. 1 root shadow system_u:object_r:shadow_t:s0 0 May 20 22:55 shadow (I have root:shadow as the groups!) I think it's o.k. As for any avc generated by a capability, non so far (when I built a bigger system a while back I remember avc capabilities being generated, but that was for a bigger system with all of the gnome libs etc...) seems a smaller system built around the latest policy make more sense to me(makes thing less complicated.) Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.