I think I ran across the problem described in this thread:
http://www.redhat.com/archives/linux-audit/2006-May/msg00059.html The process' effective capabilities are always being masked with the allowed vector of the avc decision (for self against the capability security class) in netlink's copy of the process capabilities (eff_cap). The allowed vector takes on a slightly different role when SELinux is not in enforcing mode - it starts to track used-but-not-normally- permitted actions in the allowed vector. That is what is causing the first attempt to fail (the allowed vector has not been "inflated") and the following attempts to succeed (the vector has been inflated in response to its previous use). Does my reasoning (and patch) seem to be on track? This patch removes the masking of capabilities passed over netlink socket when SELinux is in enforcing mode. Signed-off-by: Darrel Goeddel <[EMAIL PROTECTED]> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 21dad41..c7650bb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3599,7 +3599,8 @@ static int selinux_netlink_send(struct s avd.allowed = 0; avc_has_perm_noaudit(tsec->sid, tsec->sid, SECCLASS_CAPABILITY, ~0, &avd); - cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed); + if (selinux_enforcing) + cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed); if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) err = selinux_nlmsg_perm(sk, skb); -- Darrel -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
