On Thu, Feb 5, 2009 at 12:10 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Thu, 2009-02-05 at 11:08 -0600, Xavier Toth wrote: >> I've set the capabilities on a script that runs some python code with >> auditing calls in it but I'm not getting audit records written to the >> audit log. From what I've read I thought the +i would all the >> capability to be inherited across execve but this doesn't appear to be >> the case. Can anyone help me understand what's going wrong here? Is >> there a way in the python code to get the capabilities to see if >> indeed cap_audit_write was inherited? > > Linux doesn't honor setuid on scripts, and file capabilities are > supposed to have the same behavior (they didn't for a while due to an > oversight, but that was corrected). You need an executable wrapper > program that invokes the script, like: > http://oss.tresys.com/projects/clip/browser/trunk/RHEL5.2/scripts/wrappers/wrapper.c > > -- > Stephen Smalley > National Security Agency > > Having used this wrapper code pretty much as is I'm now seeing self:capability dac_override and dac_read_search AVCs. Do I need to do something similar to what newrole does to drop capabilities that I don't need my python script to have after all I'm only trying to give it the ability to audit? Ted -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
