On Tue, 2010-07-27 at 18:08 -0400, Mimi Zohar wrote:
> On Tue, 2010-07-27 at 09:04 -0400, Stephen Smalley wrote:
> > On Tue, 2010-07-27 at 08:28 -0400, Mimi Zohar wrote:
> > > I'm seeing some interesting behavior in ima_inode_setxattr() with an
> > > SELinux targeted policy enabled. Unlike the definition for
> > > CAP_SYS_ADMIN, CAP_MAC_ADMIN does not permit root to write extended
> > > attributes. (Without SELinux enabled, root can write 'security.ima'.)
> > > Is this the intended behavior?
> > >
> > > Without this permission, restorecond is also unable to write extended
> > > attributes.
> > >
> > > kernel: type=1400 audit(1279830569.844:4): avc: denied { mac_admin }
> > > for pid=447 comm="restorecon" capability=33
> > > scontext=system_u:system_r:setfiles_t:s0
> > > tcontext=system_u:system_r:setfiles_t:s0 tclass=capability2
> > >
> > > /*
> > > * ima_protect_xattr - protect 'security.ima'
> > > *
> > > * Ensure that not just anyone can modify or remove 'security.ima'.
> > > */
> > > int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
> > > const void *xattr_value, size_t xattr_value_len)
> > > {
> > > if ((strcmp(xattr_name, XATTR_NAME_IMA) == 0)
> > > && !capable(CAP_MAC_ADMIN))
> > > return -EPERM;
> > > return 0;
> > > }
> > >
> > > Adding the following rules, permits root and restorecond to write
> > > 'security.ima'.
> > >
> > > module local-cap 1.0;
> > >
> > > require {
> > > type setfiles_t;
> > > type unconfined_t;
> > > class capability2 mac_admin;
> > > }
> > >
> > > #============= setfiles_t ==============
> > > allow setfiles_t self:capability2 mac_admin;
> > > allow unconfined_t self:capability2 mac_admin;
> >
> > I don't think you should be overloading CAP_MAC_ADMIN in this manner.
> > The ability to set IMA attributes is not equivalent to the ability to
> > administer Smack, nor to get/set raw on-disk attributes in SELinux.
> >
> > We only allow mac_admin in policy to a specialized domain for e.g.
> > livecd creation. Normal admin of SELinux is handled through its
> > existing fine-grained permission checks without any dependency on
> > CAP_MAC_ADMIN.
>
> With CAP_SYS_ADMIN, root is able to write xattrs, but restorecond is
> still having problems:
>
> type=1400 audit(1280268030.225:709): avc: denied { sys_admin } for
> pid=1004 comm="restorecon" capability=21
> scontext=system_u:system_r:setfiles_t:s0
> tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
>
> Mimi
Why would restorecon/setfiles be setting the IMA attributes?
Did you modify the application to do this?
Or is this happening within the kernel automatically whenever the
SELinux attribute is changed? If the latter, then you shouldn't be
applying a check against the current process' credentials for such
changes - you should override credentials around the kernel-internal
operation.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
