Re: Question on shell policy

Wed, 02 Oct 2013 11:22:27 -0700 

Got it – Thanks, Bill.

Tai

From: William Roberts 
<bill.c.robe...@gmail.com<mailto:bill.c.robe...@gmail.com>>
Date: Wednesday, October 2, 2013 2:16 PM
To: Tai Nguyen <taing...@cisco.com<mailto:taing...@cisco.com>>
Cc: "seandroid-list@tycho.nsa.gov<mailto:seandroid-list@tycho.nsa.gov>" 
<seandroid-list@tycho.nsa.gov<mailto:seandroid-list@tycho.nsa.gov>>
Subject: Re: Question on shell policy


I didn't say it did...and don't add that. You're uid 0 differs from the owner 
and group

On Oct 2, 2013 2:15 PM, "Tai Nguyen (tainguye)" 
<taing...@cisco.com<mailto:taing...@cisco.com>> wrote:
But why does shell need DAC_override if shell has all permissions on dir and 
files?

Thanks,
Tai

From: William Roberts 
<bill.c.robe...@gmail.com<mailto:bill.c.robe...@gmail.com>>
Date: Wednesday, October 2, 2013 2:10 PM
To: Tai Nguyen <taing...@cisco.com<mailto:taing...@cisco.com>>
Cc: "seandroid-list@tycho.nsa.gov<mailto:seandroid-list@tycho.nsa.gov>" 
<seandroid-list@tycho.nsa.gov<mailto:seandroid-list@tycho.nsa.gov>>
Subject: Re: Question on shell policy


DAC permissions.... You would need MAC permission DAC_override.

You should invoke the command as su... So you transition to the su domain.

Bill

On Oct 2, 2013 2:08 PM, "Tai Nguyen (tainguye)" 
<taing...@cisco.com<mailto:taing...@cisco.com>> wrote:
All,

We have the following rules

allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;

But we still got permission denied

root@android:/data/local # ls -Z
drwxrwx--x shell    shell             u:object_r:shell_data_file:s0 tmp
drwxr-xr-x root     net_admin          u:object_r:system_data_file:s0 udev

root@android:/data/local # id
uid=0(root) gid=0(root) context=u:r:shell:s0

root@android:/data/local # ls -Z tmp
opendir failed, Permission denied


The audit.log file shows
audit(1380736858.382:29): avc:  denied  { dac_override } for  pid=11062 
comm="ls" capability=1  scontext=u:r:shell:s0 tcontext=u:r:shell:s0 
tclass=capability
audit(1380736858.390:30): avc:  denied  { dac_read_search } for  pid=11062 
comm="ls" capability=2  scontext=u:r:shell:s0 tcontext=u:r:shell:s0 
tclass=capability
root@android:/data/misc/audit #

What are we missing?

Thanks

Reply via email to