selinux + livecd-creator, May 20, 2008
sds at tycho.nsa.gov
Tue May 20 20:08:41 UTC 2008
On Tue, 2008-05-20 at 15:52 -0400, Stephen Smalley wrote:
> On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
> > On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
> > > ***restorecon:
> > > do we have an interface to see what is actually in security.xattr?
> > No - because we don't have separate interfaces for getting/setting MAC
> > labels vs. getting/setting xattrs, unlike FreeBSD (where MAC labels are
> > a first class construct and xattrs are just a storage mechanism that may
> > or may not be used by the MAC module).
> > We had talked about the possibility of allowing processes with
> > CAP_MAC_ADMIN to get the raw context via getxattr in the deferred
> > contexts thread on selinux list. But see my comments there.
> In particular, see:
> It is possible, but we have to figure out how we want to handle it; we
> don't want every getxattr call to trigger a full capable() check along
> with auditing.
Patch below is un-tested and may eat your brain. But might be worth
trying out. If it helps, I can take it up on selinux list.
Return the raw context value for getxattr if the caller has
CAP_MAC_ADMIN and mac_admin in policy. Use non-auditing forms of the
permission checks as getxattr may be called by unprivileged processes
commonly and lack of permission just means that we fall back to the
in-core context value, not a denial.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4be1563..fe4f9ad 100644
@@ -2765,12 +2765,24 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
char *context = NULL;
+ struct task_security_struct *tsec = current->security;
struct inode_security_struct *isec = inode->i_security;
if (strcmp(name, XATTR_SELINUX_SUFFIX))
- error = security_sid_to_context(isec->sid, &context, &size);
+ error = secondary_ops->capable(current, CAP_MAC_ADMIN);
+ if (!error)
+ error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
+ if (!error)
+ error = security_sid_to_context_force(isec->sid, &context,
+ error = security_sid_to_context(isec->sid, &context, &size);
error = size;
National Security Agency
More information about the fedora-selinux-list