On Tue, 2008-05-20 at 15:52 -0400, Stephen Smalley wrote: > On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote: > > On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote: > > > ***restorecon: > > > do we have an interface to see what is actually in security.xattr? > > > > No - because we don't have separate interfaces for getting/setting MAC > > labels vs. getting/setting xattrs, unlike FreeBSD (where MAC labels are > > a first class construct and xattrs are just a storage mechanism that may > > or may not be used by the MAC module). > > > > We had talked about the possibility of allowing processes with > > CAP_MAC_ADMIN to get the raw context via getxattr in the deferred > > contexts thread on selinux list. But see my comments there. > > In particular, see: > http://marc.info/?l=selinux&m=121016477203440&w=2 > http://marc.info/?l=selinux&m=121016814610025&w=2 > http://marc.info/?l=selinux&m=121017332919586&w=2 > > It is possible, but we have to figure out how we want to handle it; we > don't want every getxattr call to trigger a full capable() check along > with auditing. Patch below is un-tested and may eat your brain. But might be worth trying out. If it helps, I can take it up on selinux list. Return the raw context value for getxattr if the caller has CAP_MAC_ADMIN and mac_admin in policy. Use non-auditing forms of the permission checks as getxattr may be called by unprivileged processes commonly and lack of permission just means that we fall back to the in-core context value, not a denial. diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4be1563..fe4f9ad 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2765,12 +2765,24 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name u32 size; int error; char *context = NULL; + struct task_security_struct *tsec = current->security; struct inode_security_struct *isec = inode->i_security; if (strcmp(name, XATTR_SELINUX_SUFFIX)) return -EOPNOTSUPP; - error = security_sid_to_context(isec->sid, &context, &size); + error = secondary_ops->capable(current, CAP_MAC_ADMIN); + if (!error) + error = avc_has_perm_noaudit(tsec->sid, tsec->sid, + SECCLASS_CAPABILITY2, + CAPABILITY2__MAC_ADMIN, + 0, + NULL); + if (!error) + error = security_sid_to_context_force(isec->sid, &context, + &size); + else + error = security_sid_to_context(isec->sid, &context, &size); if (error) return error; error = size; -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
