On Tue, Feb 10, 2009 at 2:33 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Tue, 2009-02-10 at 14:20 -0600, Xavier Toth wrote: >> On Tue, Feb 10, 2009 at 12:34 PM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote: >> > Quoting Xavier Toth (txtoth@xxxxxxxxx): >> >> I was not putting capabilities on the script but rather on a compiled >> >> wrapper which execs a python script in which I need to do auditing. >> >> Will this not work? >> > >> > No, because of the way capabilities are re-calculated on exec(). >> > >> > pI' = pI >> > pP' = (X&fP) | (pI & fI) >> > pE' = fE ? pP' : 0 >> > >> > So since the interpreter has fI=fP=fE=0 and is not setuid root (which >> > would fill in fP and/or fE to emulate privileged root), pP' and pE' will >> > be empty after exec(). >> > >> > Now you could use a wrapper as follows: Have the wrapper fill pI, >> > and then fill fI on the python interpreter. Any user who has an >> > empty pI (which generally is all users) will execute python scripts >> > with no privilege, but when the wrapper execs the script, pP' will >> > be filled with (pI&fI) = full. >> > >> > -serge >> > >> >> Thanks for the clarification. >> For anyone one that is interested I've included some test code. The >> wrapper is a modified version of a wrapper Stephen sent me a link to. >> Basic steps to test are: >> 1) edit the wrapper to set the path to the audit_test.py script >> 2) compiler the wrapper >> gcc -o audit-wrapper audit-wrapper.c -lcap >> 3) set the capabilities on the wrapper and python >> setcap cap_audit_write,cap_setfcap=epi audit-wrapper > > Why cap_setfcap (set file capability)? The wrapper adds the 'i' back to cap_audit_write as it goes away when audit-wrapper runs. I was printing the capabilities in the wrapper for debug purposes when I noticed that it capabilities were "= cap_audit_write,cap_setfcap+ep". I think without the i cap_audit_write can't be inherited by the child process. > And do you need to set fI on the wrapper at all, given that it isn't > inheriting anything from its caller? Without cap_setfcap cap_set_proc fails, without cap_audit_write cap_set_proc fails (see cap_set_proc man page). > >> setcap cap_audit_write=ei /usr/bin/python > > Is setting fE required on the interpreter? I tried 'i' only it wouldn't work without 'e'. > >> 4) run audit-wrapper >> 5) check audit log for audit records. >> >> I also ran audit_test.py without the wrapper to verify that no audit >> would occur. > > So this approach suffices for your need? Yes > > The alternative would be to use the setuid-root wrapper approach, using > SELinux to limit the capabilities that can be used by the domain in > which the wrapper and the script run (no need to touch the interpreter > in that case). Did you ever track down what files the script was trying > to access that caused a problem with DAC denials? > We are trying to avoid setuid-root programs and there were some other complicating factor with using this approach for this particular application. As for the DAC denials they were a red herring sorry to have bothered you with those. :( > -- > Stephen Smalley > National Security Agency > > Ted -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
