[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/6] id: correct document about its security context option
|
From: |
Yang Chengwei |
|
Subject: |
Re: [PATCH 1/6] id: correct document about its security context option |
|
Date: |
Fri, 17 Jan 2014 08:12:45 +0800 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Thu, Jan 16, 2014 at 12:17:56PM +0000, Pádraig Brady wrote:
> On 01/16/2014 04:44 AM, Chengwei Yang wrote:
> > In both SELinux and SMACK environment, 'id -Z' says about the security
> > context of the current process, the id process, rather than the security
> > context of the current user.
> > ---
> > doc/coreutils.texi | 2 +-
> > src/id.c | 2 +-
> > 2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/doc/coreutils.texi b/doc/coreutils.texi
> > index 9a19cfa..6b7194a 100644
> > --- a/doc/coreutils.texi
> > +++ b/doc/coreutils.texi
> > @@ -14564,7 +14564,7 @@ Print only the user ID.
> > @cindex SELinux
> > @cindex security context
> > Print only the security context of the current user.
>
> I'll change the above mention of "current user"
> to also mention 'process'.
Oh, yes, thank you.
>
> Some examples for my own reference:
>
> $ id -Z
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> $ ps -ocontext= -p $$
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> $ runcon 'root:object_r:tmp_t:s0' id -Z
> root:object_r:tmp_t:s0
>
> > -If SELinux is disabled then print a warning and
> > +If both SELinux and SMACK are disabled then print a warning and
> > set the exit status to 1.
> >
> > @item -z
> > diff --git a/src/id.c b/src/id.c
> > index 803c360c..1007eb2 100644
> > --- a/src/id.c
> > +++ b/src/id.c
> > @@ -89,7 +89,7 @@ or (when USER omitted) for the current user.\n\
> > stdout);
> > fputs (_("\
> > -a ignore, for compatibility with other versions\n\
> > - -Z, --context print only the security context of the current user\n\
> > + -Z, --context print only the security context of the current process\n\
>
> So this is a little ambiguous. In the SMACK64EXEC edge case,
> is the current process referring to the id process or the
> process it's being run from?
id currently read SMACK label from /proc/self/attr/current, this is
always itself SMACK label, so the current process is the *id* process.
If the id binary has SMACK64EXEC label, then its SMACK label overwritten
the label inherited from its parent, in most cases, it's the shell.
Simple answer is *the current process* is *the id process*. Regardless
if it has SMACK64EXEC label.
>
> -Z, --context print only the security context inherited by the process
So that's incorrect for SMACK environment, if it has SMACK64EXEC, then
the inherited label overwritten by itself SMACK64EXEC label.
--
Thanks,
Chengwei
>
> > -g, --group print only the effective group ID\n\
> > -G, --groups print all group IDs\n\
> > -n, --name print a name instead of a number, for -ugG\n\
>
> thanks,
> Pádraig.
signature.asc
Description: Digital signature
- [PATCH 0/6] Doc: correct for commands which support SELinux and SMACK, Chengwei Yang, 2014/01/15
- [PATCH 2/6] ls: correct document about its security context label, Chengwei Yang, 2014/01/15
- [PATCH 3/6] mkdir: correct document about security context option, Chengwei Yang, 2014/01/15
- [PATCH 4/6] mkfifo: correct document about security context option, Chengwei Yang, 2014/01/15
- [PATCH 5/6] mknod: correct document about security context option, Chengwei Yang, 2014/01/15
- [PATCH 6/6] doc: fix alignment, Chengwei Yang, 2014/01/15