Quoting Justin Mattock (justinmattock@xxxxxxxxx): > How dangerous is this: > (using captest:) > > Current capabilities: none > Securebits flags NOROOT: 0, NOROOT_LOCKED: 0 > Attempting direct access to shadow...SUCCESS > Attempting to access shadow by child process...SUCCESS > Child capabilities: none > Securebits flags NOROOT: 0, NOROOT_LOCKED: 0 > > I have security capability allowed > libcap and libcap-ng installed as well. > (The only thing I can think of, is the system is so small(1 gig) > that there isn't much on, to turn on any capabilities) > > I've refpolicy running with mcs, just a bit concerned when > I see Attempting direct access to shadow...SUCCESS > (nice) But you're running this as root, right? And /etc/shadow is owned by root. The captest check is only for R_OK. So this test would only fail if shadow were owned by shadow or were chmoded 005. Go ahead and try with one of those settings... (I think this is a forward-looking test.) -serge -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
