(re-sent from my subscribed address) -------- Forwarded Message -------- From: Stephen Smalley <[EMAIL PROTECTED]> To: Darrel Goeddel <[EMAIL PROTECTED]> Cc: James Morris <[EMAIL PROTECTED]>, 'SELinux List' <[EMAIL PROTECTED]>, [email protected] Subject: Re: [PATCH] fix masking of capabilities over netlink in permissive mode Date: Wed, 31 May 2006 13:55:02 -0400
On Wed, 2006-05-31 at 12:35 -0500, Darrel Goeddel wrote: > I think I ran across the problem described in this thread: > > http://www.redhat.com/archives/linux-audit/2006-May/msg00059.html > > The process' effective capabilities are always being masked with the > allowed vector of the avc decision (for self against the capability > security class) in netlink's copy of the process capabilities (eff_cap). > The allowed vector takes on a slightly different role when SELinux > is not in enforcing mode - it starts to track used-but-not-normally- > permitted actions in the allowed vector. That is what is causing > the first attempt to fail (the allowed vector has not been "inflated") > and the following attempts to succeed (the vector has been inflated in > response to its previous use). Does my reasoning (and patch) seem to > be on track? Alternative: Since the sending task SID is now saved in the netlink control buffer, we could move the netlink checking entirely to the receive side, and perform a normal avc_has_perm() check, via task_has_capability, with corresponding auditing of netlink denials. Similarly for audit_netlink_ok. We couldn't do that in the past because the sender SID wasn't available to us on the receive side. > This patch removes the masking of capabilities passed over netlink > socket when SELinux is in enforcing mode. I assume that you meant "permissive mode" above. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
