Serge E. Hallyn wrote:
Quoting Justin Mattock (justinmattock@xxxxxxxxx):
How dangerous is this:
(using captest:)
Current capabilities: none
Securebits flags NOROOT: 0, NOROOT_LOCKED: 0
Attempting direct access to shadow...SUCCESS
Attempting to access shadow by child process...SUCCESS
Child capabilities: none
Securebits flags NOROOT: 0, NOROOT_LOCKED: 0
I have security capability allowed
libcap and libcap-ng installed as well.
(The only thing I can think of, is the system is so small(1 gig)
that there isn't much on, to turn on any capabilities)
I've refpolicy running with mcs, just a bit concerned when
I see Attempting direct access to shadow...SUCCESS
(nice)
But you're running this as root, right? And /etc/shadow
is owned by root. The captest check is only for R_OK.
So this test would only fail if shadow were owned by
shadow or were chmoded 005. Go ahead and try with one
of those settings...
(I think this is a forward-looking test.)
-serge
I cant remember If I used sudo to run this test
doing ls -lZ shows this:
-rw-r--r--. 1 root shadow system_u:object_r:shadow_t:s0 0
May 20 22:55 shadow
(I have root:shadow as the groups!)
I think it's o.k.
As for any avc generated by a capability, non so far
(when I built a bigger system a while back
I remember avc capabilities
being generated, but that was for a bigger system with all
of the gnome libs etc...)
seems a smaller system built around the latest policy make more sense to
me(makes thing less complicated.)
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
