[RFC][PATCH] security: Make the selinux setxattr and removexattr hooks behave
Eric W. Biederman
ebiederm at xmission.com
Sun Oct 1 22:11:58 UTC 2017
Casey Schaufler <casey at schaufler-ca.com> writes:
> On 9/30/2017 6:02 PM, Eric W. Biederman wrote:
>> I don't have a smack configuration handy, but reading through
>> the code smack setxattr the permission checks for all xattrs
>> that are not smack xattrs to cap_inode_setxattr.
>
> It's not hard to configure Smack. But, if you have a test case
> I can run it for you.
All I did was take /bin/ping from a RHEL or equally a fedora code base
where it is setcap, and copied it with rsync as root in a user namespace
and looked at the xattr.
>From memory:
$ cd
$ unshare -Ur
# rsync -Xp /bin/ping ping
>> So smack and commoncap combined will not fail.
>>
>> smack and selinux will result in people who should be able to set
>> selinux xattrs not being able to. That however is less of an immediate
>> problem.
>
> That's not currently a problem as you can't configure
> them both to be enabled.
Like I said not immediate.
> You clearly don't work in security is running into a brick
> wall is a shocking experience :)
The shock was that the security code was so b0rked.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list