On 12/14/2015 01:31 PM, Stephen Smalley wrote:
On 12/14/2015 01:27 PM, Roberts, William C wrote:
-----Original Message-----
From: Stephen Smalley [mailto:[email protected]]
Sent: Monday, December 14, 2015 9:18 AM
To: Roberts, William C <[email protected]>; seandroid-
[email protected]
Subject: Re: mac_override: What does ignore mean?
On 12/14/2015 11:57 AM, Roberts, William C wrote:
According to:
http://selinuxproject.org/page/ObjectClassesPerms#capability2,
mac_override is ignored. What does that actually mean? Is it always
denied (my guess) or always allowed?
It is never checked by SELinux, only by Smack.
What does that entail exactly? The messages printed to dmesg are "avc
denied". Does the "is capable" checks
call into SE Linux and EPERM is always returned?
I ask this in the context of an out of tree driver that is currently
and incorrectly coded with a capable(MAC_OVERRIDE) check.
No, the logic performed by the capable hook is not specific to any
capability; it just checks whether that permission bit is set in the
corresponding access vector. So you can allow it in policy and it
should be fine. But it is wrong for the driver to be using that
capability...
Oh, we neverallow that in domain.te since it implies a bug.
# No domain needs mac_override as it is unused by SELinux.
neverallow domain self:capability2 mac_override;
So you need to fix the driver.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
