> >> On 12/14/2015 11:57 AM, Roberts, William C wrote: > >>> According to: > >>> http://selinuxproject.org/page/ObjectClassesPerms#capability2, > >>> mac_override is ignored. What does that actually mean? Is it always > >>> denied (my guess) or always allowed? > >> > >> It is never checked by SELinux, only by Smack. > >> > > > > What does that entail exactly? The messages printed to dmesg are "avc > > denied". Does the "is capable" checks call into SE Linux and EPERM is always > returned? > > > > I ask this in the context of an out of tree driver that is currently and > > incorrectly > coded with a capable(MAC_OVERRIDE) check. > > No, the logic performed by the capable hook is not specific to any > capability; it > just checks whether that permission bit is set in the corresponding access > vector. > So you can allow it in policy and it should be fine. But it is wrong for the > driver to > be using that capability...
That's what I thought based on looking at the code. I advised the driver team that they Should be doing some other type of is_capable() check, likely SYS_ADMIN for their needs. Thanks, I just wanted to confirm. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
