On 12/14/2015 01:27 PM, Roberts, William C wrote:
-----Original Message-----
From: Stephen Smalley [mailto:[email protected]]
Sent: Monday, December 14, 2015 9:18 AM
To: Roberts, William C <[email protected]>; seandroid-
[email protected]
Subject: Re: mac_override: What does ignore mean?
On 12/14/2015 11:57 AM, Roberts, William C wrote:
According to:
http://selinuxproject.org/page/ObjectClassesPerms#capability2,
mac_override is ignored. What does that actually mean? Is it always
denied (my guess) or always allowed?
It is never checked by SELinux, only by Smack.
What does that entail exactly? The messages printed to dmesg are "avc denied". Does the
"is capable" checks
call into SE Linux and EPERM is always returned?
I ask this in the context of an out of tree driver that is currently and
incorrectly coded with a capable(MAC_OVERRIDE) check.
No, the logic performed by the capable hook is not specific to any
capability; it just checks whether that permission bit is set in the
corresponding access vector. So you can allow it in policy and it
should be fine. But it is wrong for the driver to be using that
capability...
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
