newrole not working when built with LSPP_PRIV=y

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Laurent Bigonville <bigon@debian.org>
To: selinux@tycho.nsa.gov
Subject: newrole not working when built with LSPP_PRIV=y
Date: Sun, 27 Sep 2015 03:10:08 +0200	[thread overview]
Message-ID: <560741F0.9090709@debian.org> (raw)

Hi,

Running newrole executable compiled with LSPP_PRIV=y I get the following
error while it's trying to switch role:

Error sending audit message.

It seems that the CAP_AUDIT_WRITE capability is not set [0]. Adding this
capability to the list doesn't seems enough, I then get the following error:

failed to exec shell: Operation not permitted

Looking at the fedora tree, I've found this patch[1] (which is not
merged upstream) that seems to fix both issues.

The patch seems to break an other thing, it Fedora the newrole
executable is not setuid root, but it is granted a bunch of capabilities
explicitly, if I setuid this executable instead of granting these
capabilities, I get yet an other error:

Sorry, newrole failed to drop capabilities: Operation not permitted

So I guess something need to be fixed here.

Cheers,

Laurent Bigonville

[0]
https://github.com/SELinuxProject/selinux/blob/master/policycoreutils/newrole/newrole.c#L590

[1]
https://github.com/fedora-selinux/selinux/commit/339a6fed0b37f8b82e4382bc6a5c9367119ed92b

next             reply	other threads:[~2015-09-27  1:10 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-27  1:10 Laurent Bigonville [this message]
2015-09-29 19:35 ` newrole not working when built with LSPP_PRIV=y Stephen Smalley
2015-10-01  7:51   ` Laurent Bigonville
2015-10-01 18:36     ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=560741F0.9090709@debian.org \
    --to=bigon@debian.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.