[RFC][PATCH] security: Make the selinux setxattr and removexattr hooks behave

Eric W. Biederman ebiederm at xmission.com
Sun Oct 1 22:11:58 UTC 2017


Casey Schaufler <casey at schaufler-ca.com> writes:

> On 9/30/2017 6:02 PM, Eric W. Biederman wrote:
>> I don't have a smack configuration handy, but reading through
>> the code smack setxattr the permission checks for all xattrs
>> that are not smack xattrs to cap_inode_setxattr.
>
> It's not hard to configure Smack. But, if you have a test case
> I can run it for you.

All I did was take /bin/ping from a RHEL or equally a fedora code base
where it is setcap, and copied it with rsync as root in a user namespace
and looked at the xattr.

>From memory:
$ cd
$ unshare -Ur
# rsync -Xp /bin/ping ping

>> So smack and commoncap combined will not fail.
>>
>> smack and selinux will result in people who should be able to set
>> selinux xattrs not being able to.  That however is less of an immediate
>> problem.
>
> That's not currently a problem as you can't configure
> them both to be enabled.

Like I said not immediate.

> You clearly don't work in security is running into a brick
> wall is a shocking experience :)

The shock was that the security code was so b0rked.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list