selinux + livecd-creator, May 20, 2008

Stephen Smalley sds at tycho.nsa.gov
Tue May 20 20:08:41 UTC 2008 

On Tue, 2008-05-20 at 15:52 -0400, Stephen Smalley wrote:
> On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
> > On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
> > > ***restorecon:
> > > do we have an interface to see what is actually in security.xattr?
> > 
> > No - because we don't have separate interfaces for getting/setting MAC
> > labels vs. getting/setting xattrs, unlike FreeBSD (where MAC labels are
> > a first class construct and xattrs are just a storage mechanism that may
> > or may not be used by the MAC module).
> > 
> > We had talked about the possibility of allowing processes with
> > CAP_MAC_ADMIN to get the raw context via getxattr in the deferred
> > contexts thread on selinux list.  But see my comments there.
> 
> In particular, see:
> http://marc.info/?l=selinux&m=121016477203440&w=2
> http://marc.info/?l=selinux&m=121016814610025&w=2
> http://marc.info/?l=selinux&m=121017332919586&w=2
> 
> It is possible, but we have to figure out how we want to handle it; we
> don't want every getxattr call to trigger a full capable() check along
> with auditing.

Patch below is un-tested and may eat your brain.  But might be worth
trying out.  If it helps, I can take it up on selinux list.

Return the raw context value for getxattr if the caller has
CAP_MAC_ADMIN and mac_admin in policy.  Use non-auditing forms of the
permission checks as getxattr may be called by unprivileged processes
commonly and lack of permission just means that we fall back to the
in-core context value, not a denial.

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4be1563..fe4f9ad 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2765,12 +2765,24 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
 	u32 size;
 	int error;
 	char *context = NULL;
+	struct task_security_struct *tsec = current->security;
 	struct inode_security_struct *isec = inode->i_security;
 
 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
 		return -EOPNOTSUPP;
 
-	error = security_sid_to_context(isec->sid, &context, &size);
+	error = secondary_ops->capable(current, CAP_MAC_ADMIN);
+	if (!error)
+		error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
+					     SECCLASS_CAPABILITY2,
+					     CAPABILITY2__MAC_ADMIN,
+					     0,
+					     NULL);
+	if (!error)
+		error = security_sid_to_context_force(isec->sid, &context,
+						      &size);
+	else
+		error = security_sid_to_context(isec->sid, &context, &size);
 	if (error)
 		return error;
 	error = size;

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list