From: sds@tycho.nsa.gov (Stephen Smalley)
To: linux-security-module@vger.kernel.org
Subject: SELinux "filtering" capabilities?
Date: Wed, 19 Apr 2017 07:58:24 -0400 [thread overview]
Message-ID: <1492603104.31458.1.camel@tycho.nsa.gov> (raw)
In-Reply-To: <82d9ff60-6850-0873-1e68-20bd0e27e9ee@schaufler-ca.com>
On Tue, 2017-04-18 at 15:37 -0700, Casey Schaufler wrote:
> I don't expect anyone else to have run into this
> as I am working with SELinux and Smack on the same
> machine at the same time. While there are a number
> of interactions that I can explain, I have one that
> is perplexing me. I assume something rational is
> going on, but I am having trouble tracking it down.
>
> A process with CAP_MAC_ADMIN can change its Smack label
> by writing the new label to /proc/self/attr/smack/current.*
> If I have both SELinux and Smack enabled the write fails
> with -EPERM, indicating that the process lacks CAP_MAC_ADMIN.
> Instrumenting the Smack code verifies that, even though the
> process reports having CAP_MAC_ADMIN, the capability is gone
> in smack_setprocattr().
>
> It seem that this could be happening in the write() path,
> or perhaps an artifact of SELinux not knowing something
> special about smackfs. I don't see anything obvious.
> Unfortunately, it is going to be somewhat difficult for
> me to claim that I have SELinux and Smack working, if not
> together, at least begrudgingly on the same system.
>
> ----
> * The smack subdir of attr isn't upstream yet, but I hope
> ? to get it there real soon.
Since smack_privileged() calls capable() rather than cap_capable(), the
CAP_MAC_ADMIN check will trigger a check by all enabled security
modules, including SELinux. SELinux will then apply a check against
policy as to whether the current process is allowed mac_admin
permission. This is only allowed to a handful of domains (not even
unconfined_t) because to SELinux, CAP_MAC_ADMIN means the ability to
set or get a raw, uninterpreted security context that may be unknown to
the currently loaded security policy.
I suspect that smack_privileged() should call cap_capable() instead.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-04-19 11:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-18 22:37 SELinux "filtering" capabilities? Casey Schaufler
2017-04-19 11:58 ` Stephen Smalley [this message]
2017-04-19 17:55 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1492603104.31458.1.camel@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).