Re: [LTP] running filecaps ltp test
On Mon, 2008-07-07 at 13:42 -0500, Serge E. Hallyn wrote: It looks like unconfined_t is not granted setfcap capability. So when running ltp as unconfined_t, the file capabilities test fails. I'm just wondering what the right answer is: 1. require running ltp as an administrative type 2. give ltp a custom policy module to create an ltp_t 3. give setfcap to unconfined_t unconfined_t should have all capabilities already. Policy version? -- Stephen Smalley National Security Agency - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] running filecaps ltp test
On Mon, 2008-07-07 at 16:18 -0400, David L Durant (Mags) wrote: On Mon, 2008-07-07 14:47 -0500, Stephen Smalley wrote: On Mon, 2008-07-07 at 13:42 -0500, Serge E. Hallyn wrote: It looks like unconfined_t is not granted setfcap capability. So when running ltp as unconfined_t, the file capabilities test fails. I'm just wondering what the right answer is: 1. require running ltp as an administrative type 2. give ltp a custom policy module to create an ltp_t 3. give setfcap to unconfined_t unconfined_t should have all capabilities already. Policy version? Well, earlier today while running as _root_ with full-blown permissions, I noticed that I couldn't access */home/dave/.gvfs*, (except to see that it is a directory). [EMAIL PROTECTED] ~]$ *ls -ld /home/dave/.gvfs* dr-x-- 2 dave durant 0 2008-07-07 09:40 /home/dave/.gvfs [EMAIL PROTECTED] ~]$ su - Password: [EMAIL PROTECTED] ~]# *ls -ld .gvfs* ls: cannot access /home/dave/.gvfs: Permission denied [EMAIL PROTECTED] ~]# *secon* user: unconfined_u role: unconfined_r type: unconfined_t sensitivity: s0 clearance: s0:c0.c1023 mls-range: s0-s0:c0.c1023 [EMAIL PROTECTED] ~]# I don't think that is SELinux-related (retry after setenforce 0 and/or check your audit log via /sbin/ausearch -m AVC -sv no). Likely just that /home/dave is NFS mounted and you have rootsquash on the NFS server... -- Stephen Smalley National Security Agency - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] running filecaps ltp test
On Mon, 2008-07-07 14:47 -0500, Stephen Smalley wrote: On Mon, 2008-07-07 at 13:42 -0500, Serge E. Hallyn wrote: It looks like unconfined_t is not granted setfcap capability. So when running ltp as unconfined_t, the file capabilities test fails. I'm just wondering what the right answer is: 1. require running ltp as an administrative type 2. give ltp a custom policy module to create an ltp_t 3. give setfcap to unconfined_t unconfined_t should have all capabilities already. Policy version? Well, earlier today while running as _root_ with full-blown permissions, I noticed that I couldn't access */home/dave/.gvfs*, (except to see that it is a directory). [EMAIL PROTECTED] ~]$ *ls -ld /home/dave/.gvfs* dr-x-- 2 dave durant 0 2008-07-07 09:40 /home/dave/.gvfs [EMAIL PROTECTED] ~]$ su - Password: [EMAIL PROTECTED] ~]# *ls -ld .gvfs* ls: cannot access /home/dave/.gvfs: Permission denied [EMAIL PROTECTED] ~]# *secon* user: unconfined_u role: unconfined_r type: unconfined_t sensitivity: s0 clearance: s0:c0.c1023 mls-range: s0-s0:c0.c1023 [EMAIL PROTECTED] ~]# David L Durant = - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] running filecaps ltp test
On Tue, 2008-07-08 at 10:14 +0100, David Howells wrote: Serge E. Hallyn [EMAIL PROTECTED] wrote: David, what policy version? selinux-policy-3.3.1-72.fc9.noarch selinux-policy-targeted-3.3.1-72.fc9.noarch selinux-policy-devel-3.3.1-72.fc9.noarch Is that what you want to know? Ok, that's a bug in the Fedora policy, not an upstream issue. You can work around it by adding it in a local policy module. -- Stephen Smalley National Security Agency - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] running filecaps ltp test
It looks like unconfined_t is not granted setfcap capability. So when running ltp as unconfined_t, the file capabilities test fails. I'm just wondering what the right answer is: 1. require running ltp as an administrative type 2. give ltp a custom policy module to create an ltp_t 3. give setfcap to unconfined_t thanks, -serge - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list