SMACK: access is granted while smack-utils report that it shouldn't be
Denis Obrezkov
denisobrezkov at gmail.com
Wed Nov 17 01:18:34 UTC 2021
Hi,
I installed smack (enabled it in the kernel and installed smack-utils)
in my Linux From Scratch distro. I am trying to regulate access with it
but access is always granted.
I created a file and installed the labels (with attr -S -s ...), they
were attached:
echo "foobar text" > foobar
# attr -S -g SMACK64 foobar
Attribute "SMACK64" had a 8 byte value for foobar:
objlabel
# attr -S -g SMACK64EXEC /bin/cat
Attribute "SMACK64EXEC" had a 9 byte value for /bin/cat:
subjlabel
I wrote simple rules, reading is forbidden:
echo subjlabel objlabel -w--- > /sys/fs/smackfs/load2
# smackaccess subjlabel objlabel w
1
# smackaccess subjlabel objlabel r
0
but when I try to read the file I succeed:
# cat foobar
foobar text
And the relevant output in dmesg shows that the access was granted:
[ 4341.952360] audit: type=1400 audit(1637110820.839:108): lsm=SMACK
fn=smack_inode_permission action=granted subject="subjlabel"
object="objlabel" requested=r pid=427 comm="cat" name="foobar"
dev="sda1" ino=820571
[ 4341.955501] audit: type=1400 audit(1637110820.839:109): lsm=SMACK
fn=smack_file_open action=granted subject="subjlabel" object="objlabel"
requested=r pid=427 comm="cat" path="/root/foobar" dev="sda1" ino=820571
[ 4341.958411] audit: type=1400 audit(1637110820.839:110): lsm=SMACK
fn=smack_inode_getattr action=granted subject="subjlabel"
object="objlabel" requested=r pid=427 comm="cat" path="/root/foobar"
dev="sda1" ino=820571
What can be the problem?
--
Regards, Denis Obrezkov
More information about the Linux-security-module-archive
mailing list