On Thu, Jan 16, 2014 at 12:17:56PM +0000, Pádraig Brady wrote: > On 01/16/2014 04:44 AM, Chengwei Yang wrote: > > In both SELinux and SMACK environment, 'id -Z' says about the security > > context of the current process, the id process, rather than the security > > context of the current user. > > --- > > doc/coreutils.texi | 2 +- > > src/id.c | 2 +- > > 2 files changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/doc/coreutils.texi b/doc/coreutils.texi > > index 9a19cfa..6b7194a 100644 > > --- a/doc/coreutils.texi > > +++ b/doc/coreutils.texi > > @@ -14564,7 +14564,7 @@ Print only the user ID. > > @cindex SELinux > > @cindex security context > > Print only the security context of the current user. > > I'll change the above mention of "current user" > to also mention 'process'.
Oh, yes, thank you.
>
> Some examples for my own reference:
>
> $ id -Z
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> $ ps -ocontext= -p $$
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> $ runcon 'root:object_r:tmp_t:s0' id -Z
> root:object_r:tmp_t:s0
>
> > -If SELinux is disabled then print a warning and
> > +If both SELinux and SMACK are disabled then print a warning and
> > set the exit status to 1.
> >
> > @item -z
> > diff --git a/src/id.c b/src/id.c
> > index 803c360c..1007eb2 100644
> > --- a/src/id.c
> > +++ b/src/id.c
> > @@ -89,7 +89,7 @@ or (when USER omitted) for the current user.\n\
> > stdout);
> > fputs (_("\
> > -a ignore, for compatibility with other versions\n\
> > - -Z, --context print only the security context of the current user\n\
> > + -Z, --context print only the security context of the current process\n\
>
> So this is a little ambiguous. In the SMACK64EXEC edge case,
> is the current process referring to the id process or the
> process it's being run from?
id currently read SMACK label from /proc/self/attr/current, this is
always itself SMACK label, so the current process is the *id* process.
If the id binary has SMACK64EXEC label, then its SMACK label overwritten
the label inherited from its parent, in most cases, it's the shell.
Simple answer is *the current process* is *the id process*. Regardless
if it has SMACK64EXEC label.
>
> -Z, --context print only the security context inherited by the process
So that's incorrect for SMACK environment, if it has SMACK64EXEC, then
the inherited label overwritten by itself SMACK64EXEC label.
--
Thanks,
Chengwei
>
> > -g, --group print only the effective group ID\n\
> > -G, --groups print all group IDs\n\
> > -n, --name print a name instead of a number, for -ugG\n\
>
> thanks,
> Pádraig.
signature.asc
Description: Digital signature
