Eric Paris wrote:
On Tue, 2007-04-17 at 13:40 -0500, Trevor S Highland wrote:
I am trying to open /selinux/avc/cache_threshold for writing as root
with the staff_r role. The open succeeds. When I attempt to write to
the file, the write succeeds if I write the value that is currently in
the file. If I write any other value write returns EPERM. From my
understanding staff_r should not have write access
to /selinux/avc/cache_threshold. If this is the case, can anyone
explain why the open succeeds.
Thank you,
Trevor
Well the implementation sees this as 2 different operations. The open
is taken care of entirely by standard VFS securty hooks. AKA does your
shell (staff_r) have permission to open a system_u:object_r:security_t
file with write. Apparently policy says that it does and I see no
reason why that couldn't be 'fixed' thus solving your inquiry. Dan?
The second operation is actually setting the new value, in that case the
kernel code looks like:
if (new_value != avc_cache_threshold) {
ret = task_has_security(current, SECURITY__SETSECPARAM);
if (ret)
goto out_free;
avc_cache_threshold = new_value;
}
I could buy into switching the task_has_security() hook and the new/old
comparison so you don't have the inconsistancy if you don't make a
change and always get an EPERM but if you want the open to fail that's
not a kernel problem and is just a policy issue.
Checks in SELinux happen on read/write not on open.
-Eric
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
