> -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of José Bollo > Sent: Friday, January 10, 2014 7:39 AM > To: [email protected] > Subject: Re: [Dev] pam module for Smack > > On ven, 2014-01-10 at 00:28 +0000, Schaufler, Casey wrote: > > (snip) > > > > Or to be even more pragmatic how about launching the sshd service in > > the User domain and teaching people how to change their Smack label > > once they have a shell? > > (hint: # echo label > /proc/self/attr/current). > > > > Sometime it is not possible to change its own context: submitting > > # echo label > /proc/$$/attr/current > > sometimes prompts: > > -sh: echo: write error: Operation not permitted > > Here I have: > > # ps -M > LABEL PID TTY TIME CMD > System 1698 pts/0 00:00:00 sh > System 1707 pts/0 00:00:00 ps > # echo $$ > 1698 > # id > uid=5000(app) gid=5000(app) groups=5000(app),... context=System > # ls -lZ /proc/$$/attr/current > -rw-rw-rw-. 1 app app System 0 gen 10 07:12 /proc/1691/attr/current > > Why? Do you have an idea? I'm in a 'su' issued shell.
Changing your Smack label requires privilege (CAP_MAC_ADMIN). Smack uses the same privilege model as Linux uses for other things. If you are root you (today) have all capabilities. You should set the Smack label before you run su to get the effect you're after. > Best regards > José > > _______________________________________________ > Dev mailing list > [email protected] > https://lists.tizen.org/listinfo/dev _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
