On Mon, Feb 9, 2009 at 2:42 PM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote: > Quoting Stephen Smalley (sds@xxxxxxxxxxxxx): >> On Mon, 2009-02-09 at 10:42 -0600, Xavier Toth wrote: >> > On Mon, Feb 9, 2009 at 8:02 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> > > On Fri, 2009-02-06 at 15:56 -0600, Xavier Toth wrote: >> > >> On Thu, Feb 5, 2009 at 12:10 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> > >> > On Thu, 2009-02-05 at 11:08 -0600, Xavier Toth wrote: >> > >> >> I've set the capabilities on a script that runs some python code with >> > >> >> auditing calls in it but I'm not getting audit records written to the >> > >> >> audit log. From what I've read I thought the +i would all the >> > >> >> capability to be inherited across execve but this doesn't appear to be >> > >> >> the case. Can anyone help me understand what's going wrong here? Is >> > >> >> there a way in the python code to get the capabilities to see if >> > >> >> indeed cap_audit_write was inherited? >> > >> > >> > >> > Linux doesn't honor setuid on scripts, and file capabilities are >> > >> > supposed to have the same behavior (they didn't for a while due to an >> > >> > oversight, but that was corrected). You need an executable wrapper >> > >> > program that invokes the script, like: >> > >> > http://oss.tresys.com/projects/clip/browser/trunk/RHEL5.2/scripts/wrappers/wrapper.c >> > >> > >> > >> > -- >> > >> > Stephen Smalley >> > >> > National Security Agency >> > >> > >> > >> > >> > >> >> > >> Having used this wrapper code pretty much as is I'm now seeing >> > >> self:capability dac_override and dac_read_search AVCs. Do I need to do >> > >> something similar to what newrole does to drop capabilities that I >> > >> don't need my python script to have after all I'm only trying to give >> > >> it the ability to audit? >> > > >> > > You can just dontaudit those denials if you don't need those >> > > capabilities. >> > > >> > > -- >> > > Stephen Smalley >> > > National Security Agency >> > > >> > > >> > >> > Unfortunately python doesn't survive the dac_read_search AVC. I also >> > tried removing the setreuid/setregid calls, doing a setcap >> > cap_audit_write=ep on the wrapper and not running the wrapper as >> > setuid but that doesn't work. >> >> So what is it trying to access (enable syscall auditing with at least >> one audit syscall filter defined so the kernel will collect PATH records >> for you and emit them after any AVC denials)? >> >> On the separate question of capability inheritance on exec of a script >> from a wrapper with file capabilities, I'll defer to Serge. > > Right, file capabilities on scripts are disregarded. So things to do > would include: > > 1. set capabilities on the interpreter (in which case you'll likely > want to make sure the interpreter can't be called by anyone else) > > 2. keep capabilities in pI, and place capabilities in fI (and if you > must fE) on all of the compiled programs called by the script. > > 3. Make the whole thing a compiled program... > > -serge > I was not putting capabilities on the script but rather on a compiled wrapper which execs a python script in which I need to do auditing. Will this not work? Ted -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
