Quoting Stephen Smalley (sds@xxxxxxxxxxxxx): > On Tue, 2009-02-10 at 14:59 -0600, Xavier Toth wrote: > > On Tue, Feb 10, 2009 at 2:33 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > On Tue, 2009-02-10 at 14:20 -0600, Xavier Toth wrote: > > >> On Tue, Feb 10, 2009 at 12:34 PM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote: > > >> > Quoting Xavier Toth (txtoth@xxxxxxxxx): > > >> >> I was not putting capabilities on the script but rather on a compiled > > >> >> wrapper which execs a python script in which I need to do auditing. > > >> >> Will this not work? > > >> > > > >> > No, because of the way capabilities are re-calculated on exec(). > > >> > > > >> > pI' = pI > > >> > pP' = (X&fP) | (pI & fI) > > >> > pE' = fE ? pP' : 0 > > >> > > > >> > So since the interpreter has fI=fP=fE=0 and is not setuid root (which > > >> > would fill in fP and/or fE to emulate privileged root), pP' and pE' will > > >> > be empty after exec(). > > >> > > > >> > Now you could use a wrapper as follows: Have the wrapper fill pI, > > >> > and then fill fI on the python interpreter. Any user who has an > > >> > empty pI (which generally is all users) will execute python scripts > > >> > with no privilege, but when the wrapper execs the script, pP' will > > >> > be filled with (pI&fI) = full. > > >> > > > >> > -serge > > >> > > > >> > > >> Thanks for the clarification. > > >> For anyone one that is interested I've included some test code. The > > >> wrapper is a modified version of a wrapper Stephen sent me a link to. > > >> Basic steps to test are: > > >> 1) edit the wrapper to set the path to the audit_test.py script > > >> 2) compiler the wrapper > > >> gcc -o audit-wrapper audit-wrapper.c -lcap > > >> 3) set the capabilities on the wrapper and python > > >> setcap cap_audit_write,cap_setfcap=epi audit-wrapper > > > > > > Why cap_setfcap (set file capability)? > > > > The wrapper adds the 'i' back to cap_audit_write as it goes away when > > audit-wrapper runs. I was printing the capabilities in the wrapper for > > debug purposes when I noticed that it capabilities were "= > > cap_audit_write,cap_setfcap+ep". I think without the i cap_audit_write > > can't be inherited by the child process. > > cap_setfcap controls setting of file capabilities via setxattr(2). > cap_setpcap may have an effect on setting of process capabilities, but I > don't think it is required if you are just setting inheritable to > something in your permitted set. Right, to be able to put cap_audit_write in pI, you either need to have cap_audit_write in pP, or to have cap_setpcap in pP. -serge -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
