[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why "id -Z" get the current process security context but says "of th
|
From: |
Pádraig Brady |
|
Subject: |
Re: Why "id -Z" get the current process security context but says "of the current user" in help? |
|
Date: |
Thu, 16 Jan 2014 02:16:28 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 |
On 01/16/2014 01:50 AM, Yang Chengwei wrote:
> Hi List,
>
> I found that both id manpage and its help info says something about
> security context like:
>
> -Z, --context print only the security context of the current user\n\
>
> As it said, it gets the security context of *the current user*. However,
> I found in its source code, it implemented in a way to get *the current
> process* security context, in both SELinux and SMACK way.
>
> As I understand, *the current process* whenever "id -Z" executed, it's
> the id process, its security context doesn't equal *the current user*
> security context. Right?
>
> So far I haven't worked with SELinux a lot, but have some SMACk
> experience, so currently "id -Z" in SMACK environment *only* works if *id*
> hasn't itself SMACK64EXEC label, in that way, *id* will inherent the shell
> security context, so the security context of *the current process* is
> the same as security context of *the current user*. Otherwise, it will
> surprise user, like me.
There was a large change to SELinux handling recently,
but this functionality or --help output didn't change.
You're right that this just prints the context for
the id _process_, and also one can specify a particular user:
$ id -u $USER -Z
id: cannot print security context when user specified
So I suppose we might change the --help docs etc. to say
_process_ rather than _user_. Is SMACK64EXEC a common
label to have set on the id executable? Jarkko I don't suppose
there is any way to avoid that?
thanks,
Pádraig.