SMACK: access is granted while smack-utils report that it shouldn't be

Denis Obrezkov denisobrezkov at gmail.com
Wed Nov 17 01:18:34 UTC 2021


Hi,

I installed smack (enabled it in the kernel and installed smack-utils)
in my Linux From Scratch distro. I am trying to regulate access with it
but access is always granted.

I created a file and installed the labels (with attr -S -s ...), they
were attached:

echo "foobar text" > foobar

# attr -S -g SMACK64 foobar
Attribute "SMACK64" had a 8 byte value for foobar:
objlabel

# attr -S -g SMACK64EXEC /bin/cat
Attribute "SMACK64EXEC" had a 9 byte value for /bin/cat:
subjlabel

I wrote simple rules, reading is forbidden:

echo subjlabel objlabel -w--- > /sys/fs/smackfs/load2
# smackaccess subjlabel objlabel w
1
# smackaccess subjlabel objlabel r
0

but when I try to read the file I succeed:

# cat foobar
foobar text

And the relevant output in dmesg shows that the access was granted:

[ 4341.952360] audit: type=1400 audit(1637110820.839:108): lsm=SMACK
fn=smack_inode_permission action=granted subject="subjlabel"
object="objlabel" requested=r pid=427 comm="cat" name="foobar"
dev="sda1" ino=820571
[ 4341.955501] audit: type=1400 audit(1637110820.839:109): lsm=SMACK
fn=smack_file_open action=granted subject="subjlabel" object="objlabel"
requested=r pid=427 comm="cat" path="/root/foobar" dev="sda1" ino=820571
[ 4341.958411] audit: type=1400 audit(1637110820.839:110): lsm=SMACK
fn=smack_inode_getattr action=granted subject="subjlabel"
object="objlabel" requested=r pid=427 comm="cat" path="/root/foobar"
dev="sda1" ino=820571

What can be the problem?
-- 
Regards, Denis Obrezkov



More information about the Linux-security-module-archive mailing list