>> Does he add rules on the rpm's manifest file and then rpm applies the rules?
>So adding stuff to the manifests adds labels to file system objects, but not >rules. Actually, you can add rules through the RPM manifest file (but some conditions must apply and there are also other restrictions). The RPM itself does not add the labels or the rules, it is the rpm-security-plugin's job to do that. It creates the file Auke described in /etc/smack/accesses.d/, based on what you request in the manifest, and loads said rules for the kernel to enforce them. >From what I know, CAP_MAC_ADMIN is not granted to RPM, it is granted to >rpm-security-plugin, which is one of the first packages installed on any image. If you want to test an app, you can switch to root and use "smackload" command to load new rules, and "chsmack" or "attr" to set labels for objects. For a better understanding of the rpm manifest or how the rpm-security-plugin works, please take a look at the following wiki (the same as in the previous mail): https://wiki.tizen.org/wiki/Security/Application_installation_and_Manifest Hope this helps, Alex -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kok, Auke-jan H Sent: Wednesday, September 4, 2013 7:52 PM To: Glauco Junquera Cc: [email protected] Subject: Re: [Tizen General] Smack rules On Wed, Sep 4, 2013 at 9:03 AM, Glauco Junquera <[email protected]> wrote: > How the developer can add smack rules? Through RPM packages is one way. I don't know if other mechanisms exist and that seems > Does he add rules on the rpm's manifest file and then rpm applies the rules? So adding stuff to the manifests adds labels to file system objects, but not rules. There is a policy package that contains most of the rules. Smack access rules can come from packages separately or be part of the large policy file. The rules are just text files in /etc/smack/accesses.d/ that contain lines like "object subject access" (e.g. "foo bar rw"). Any package can install rules through rpm in that way by providing a small file with rules. > For a userspace program creates smack rules it is necessary to write > to smackfs (mounted on /smack) and only process that have > CAP_MAC_ADMIN capability can write to smackfs. Is it correct? yes. the mountpoint will be under /sys/fs/smackfs going forward. > Is yes, how CAP_MAC_ADMIN is granted to rpm? It is executed with elevated privileges, otherwise it won't be able to do anything (i.e. root access). > Is there any other userspace program that runs with this capability? There are a few system services that have that CAP, but adding new rules in smack is not something that should be done by end user applications (that would defeat the purpose of this system - i.e. to secure it). Auke _______________________________________________ General mailing list [email protected] https://lists.tizen.org/listinfo/general _______________________________________________ General mailing list [email protected] https://lists.tizen.org/listinfo/general
