* running filecaps ltp test
@ 2008-07-07 18:42 Serge E. Hallyn
2008-07-07 18:47 ` Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: Serge E. Hallyn @ 2008-07-07 18:42 UTC (permalink / raw)
To: ltp-list, SELinux; +Cc: David Howells, Andrew Morgan, Stephen Smalley
It looks like unconfined_t is not granted setfcap capability. So
when running ltp as unconfined_t, the file capabilities test fails.
I'm just wondering what the right answer is:
1. require running ltp as an administrative type
2. give ltp a custom policy module to create an ltp_t
3. give setfcap to unconfined_t
thanks,
-serge
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: running filecaps ltp test
2008-07-07 18:42 running filecaps ltp test Serge E. Hallyn
@ 2008-07-07 18:47 ` Stephen Smalley
2008-07-07 20:18 ` David L Durant (Mags)
2008-07-07 21:07 ` Serge E. Hallyn
0 siblings, 2 replies; 7+ messages in thread
From: Stephen Smalley @ 2008-07-07 18:47 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: ltp-list, SELinux, David Howells, Andrew Morgan
On Mon, 2008-07-07 at 13:42 -0500, Serge E. Hallyn wrote:
> It looks like unconfined_t is not granted setfcap capability. So
> when running ltp as unconfined_t, the file capabilities test fails.
> I'm just wondering what the right answer is:
>
> 1. require running ltp as an administrative type
> 2. give ltp a custom policy module to create an ltp_t
> 3. give setfcap to unconfined_t
unconfined_t should have all capabilities already.
Policy version?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: running filecaps ltp test
2008-07-07 18:47 ` Stephen Smalley
@ 2008-07-07 20:18 ` David L Durant (Mags)
2008-07-07 20:26 ` Stephen Smalley
2008-07-07 21:07 ` Serge E. Hallyn
1 sibling, 1 reply; 7+ messages in thread
From: David L Durant (Mags) @ 2008-07-07 20:18 UTC (permalink / raw)
To: Stephen Smalley
Cc: Serge E. Hallyn, ltp-list, SELinux, David Howells, Andrew Morgan
On Mon, 2008-07-07 14:47 -0500, Stephen Smalley wrote:
> On Mon, 2008-07-07 at 13:42 -0500, Serge E. Hallyn wrote:
>
>> It looks like unconfined_t is not granted setfcap capability. So
>> when running ltp as unconfined_t, the file capabilities test fails.
>> I'm just wondering what the right answer is:
>>
>> 1. require running ltp as an administrative type
>> 2. give ltp a custom policy module to create an ltp_t
>> 3. give setfcap to unconfined_t
>>
> unconfined_t should have all capabilities already.
> Policy version?
Well, earlier today while running as _root_ with full-blown permissions,
I noticed that I couldn't access */home/dave/.gvfs*, (except to see that
it is a directory).
[dave@fedora ~]$ *ls -ld /home/dave/.gvfs*
dr-x------ 2 dave durant 0 2008-07-07 09:40 /home/dave/.gvfs
[dave@fedora ~]$ su -
Password:
[root@fedora ~]# *ls -ld .gvfs*
ls: cannot access /home/dave/.gvfs: Permission denied
[root@fedora ~]# *secon*
user: unconfined_u
role: unconfined_r
type: unconfined_t
sensitivity: s0
clearance: s0:c0.c1023
mls-range: s0-s0:c0.c1023
[root@fedora ~]#
David L Durant
=================
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: running filecaps ltp test
2008-07-07 20:18 ` David L Durant (Mags)
@ 2008-07-07 20:26 ` Stephen Smalley
0 siblings, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2008-07-07 20:26 UTC (permalink / raw)
To: David L Durant (Mags)
Cc: Serge E. Hallyn, ltp-list, SELinux, David Howells, Andrew Morgan
On Mon, 2008-07-07 at 16:18 -0400, David L Durant (Mags) wrote:
> On Mon, 2008-07-07 14:47 -0500, Stephen Smalley wrote:
>
> > On Mon, 2008-07-07 at 13:42 -0500, Serge E. Hallyn wrote:
> >
> >> It looks like unconfined_t is not granted setfcap capability. So
> >> when running ltp as unconfined_t, the file capabilities test fails.
> >> I'm just wondering what the right answer is:
> >>
> >> 1. require running ltp as an administrative type
> >> 2. give ltp a custom policy module to create an ltp_t
> >> 3. give setfcap to unconfined_t
> >>
> > unconfined_t should have all capabilities already.
> > Policy version?
>
> Well, earlier today while running as _root_ with full-blown permissions,
> I noticed that I couldn't access */home/dave/.gvfs*, (except to see that
> it is a directory).
>
> [dave@fedora ~]$ *ls -ld /home/dave/.gvfs*
> dr-x------ 2 dave durant 0 2008-07-07 09:40 /home/dave/.gvfs
> [dave@fedora ~]$ su -
> Password:
> [root@fedora ~]# *ls -ld .gvfs*
> ls: cannot access /home/dave/.gvfs: Permission denied
> [root@fedora ~]# *secon*
> user: unconfined_u
> role: unconfined_r
> type: unconfined_t
> sensitivity: s0
> clearance: s0:c0.c1023
> mls-range: s0-s0:c0.c1023
> [root@fedora ~]#
I don't think that is SELinux-related (retry after "setenforce 0" and/or
check your audit log via "/sbin/ausearch -m AVC -sv no"). Likely just
that /home/dave is NFS mounted and you have rootsquash on the NFS
server...
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: running filecaps ltp test
2008-07-07 18:47 ` Stephen Smalley
2008-07-07 20:18 ` David L Durant (Mags)
@ 2008-07-07 21:07 ` Serge E. Hallyn
2008-07-08 9:14 ` David Howells
1 sibling, 1 reply; 7+ messages in thread
From: Serge E. Hallyn @ 2008-07-07 21:07 UTC (permalink / raw)
To: Stephen Smalley; +Cc: ltp-list, SELinux, David Howells, Andrew Morgan
Quoting Stephen Smalley (sds@epoch.ncsc.mil):
>
> On Mon, 2008-07-07 at 13:42 -0500, Serge E. Hallyn wrote:
> > It looks like unconfined_t is not granted setfcap capability. So
> > when running ltp as unconfined_t, the file capabilities test fails.
> > I'm just wondering what the right answer is:
> >
> > 1. require running ltp as an administrative type
> > 2. give ltp a custom policy module to create an ltp_t
> > 3. give setfcap to unconfined_t
>
> unconfined_t should have all capabilities already.
> Policy version?
Hmm yeah, I see that in the reference policy... I've not had the chance
to test it myself. David had found this on his Fedora 9 machine.
David, what policy version?
-serge
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: running filecaps ltp test
2008-07-07 21:07 ` Serge E. Hallyn
@ 2008-07-08 9:14 ` David Howells
2008-07-08 12:56 ` Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: David Howells @ 2008-07-08 9:14 UTC (permalink / raw)
To: Serge E. Hallyn
Cc: dhowells, Stephen Smalley, ltp-list, SELinux, Andrew Morgan
Serge E. Hallyn <serue@us.ibm.com> wrote:
> David, what policy version?
selinux-policy-3.3.1-72.fc9.noarch
selinux-policy-targeted-3.3.1-72.fc9.noarch
selinux-policy-devel-3.3.1-72.fc9.noarch
Is that what you want to know?
David
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: running filecaps ltp test
2008-07-08 9:14 ` David Howells
@ 2008-07-08 12:56 ` Stephen Smalley
0 siblings, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2008-07-08 12:56 UTC (permalink / raw)
To: David Howells
Cc: Serge E. Hallyn, ltp-list, SELinux, Andrew Morgan, Daniel J Walsh
On Tue, 2008-07-08 at 10:14 +0100, David Howells wrote:
> Serge E. Hallyn <serue@us.ibm.com> wrote:
>
> > David, what policy version?
>
> selinux-policy-3.3.1-72.fc9.noarch
> selinux-policy-targeted-3.3.1-72.fc9.noarch
> selinux-policy-devel-3.3.1-72.fc9.noarch
>
> Is that what you want to know?
Ok, that's a bug in the Fedora policy, not an upstream issue.
You can work around it by adding it in a local policy module.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2008-07-08 12:56 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-07-07 18:42 running filecaps ltp test Serge E. Hallyn
2008-07-07 18:47 ` Stephen Smalley
2008-07-07 20:18 ` David L Durant (Mags)
2008-07-07 20:26 ` Stephen Smalley
2008-07-07 21:07 ` Serge E. Hallyn
2008-07-08 9:14 ` David Howells
2008-07-08 12:56 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.