On Fri, 2009-02-06 at 15:56 -0600, Xavier Toth wrote: > On Thu, Feb 5, 2009 at 12:10 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Thu, 2009-02-05 at 11:08 -0600, Xavier Toth wrote: > >> I've set the capabilities on a script that runs some python code with > >> auditing calls in it but I'm not getting audit records written to the > >> audit log. From what I've read I thought the +i would all the > >> capability to be inherited across execve but this doesn't appear to be > >> the case. Can anyone help me understand what's going wrong here? Is > >> there a way in the python code to get the capabilities to see if > >> indeed cap_audit_write was inherited? > > > > Linux doesn't honor setuid on scripts, and file capabilities are > > supposed to have the same behavior (they didn't for a while due to an > > oversight, but that was corrected). You need an executable wrapper > > program that invokes the script, like: > > http://oss.tresys.com/projects/clip/browser/trunk/RHEL5.2/scripts/wrappers/wrapper.c > > > > -- > > Stephen Smalley > > National Security Agency > > > > > > Having used this wrapper code pretty much as is I'm now seeing > self:capability dac_override and dac_read_search AVCs. Do I need to do > something similar to what newrole does to drop capabilities that I > don't need my python script to have after all I'm only trying to give > it the ability to audit? You can just dontaudit those denials if you don't need those capabilities. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
