[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/6] id: correct document about its security context option
|
From: |
Pádraig Brady |
|
Subject: |
Re: [PATCH 1/6] id: correct document about its security context option |
|
Date: |
Fri, 17 Jan 2014 02:31:24 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 |
On 01/17/2014 12:12 AM, Yang Chengwei wrote:
> On Thu, Jan 16, 2014 at 12:17:56PM +0000, Pádraig Brady wrote:
>> On 01/16/2014 04:44 AM, Chengwei Yang wrote:
>>> In both SELinux and SMACK environment, 'id -Z' says about the security
>>> context of the current process, the id process, rather than the security
>>> context of the current user.
>>> ---
>>> doc/coreutils.texi | 2 +-
>>> src/id.c | 2 +-
>>> 2 files changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/doc/coreutils.texi b/doc/coreutils.texi
>>> index 9a19cfa..6b7194a 100644
>>> --- a/doc/coreutils.texi
>>> +++ b/doc/coreutils.texi
>>> @@ -14564,7 +14564,7 @@ Print only the user ID.
>>> @cindex SELinux
>>> @cindex security context
>>> Print only the security context of the current user.
>>
>> I'll change the above mention of "current user"
>> to also mention 'process'.
>
> Oh, yes, thank you.
>
>>
>> Some examples for my own reference:
>>
>> $ id -Z
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> $ ps -ocontext= -p $$
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> $ runcon 'root:object_r:tmp_t:s0' id -Z
>> root:object_r:tmp_t:s0
>>
>>> -If SELinux is disabled then print a warning and
>>> +If both SELinux and SMACK are disabled then print a warning and
>>> set the exit status to 1.
>>>
>>> @item -z
>>> diff --git a/src/id.c b/src/id.c
>>> index 803c360c..1007eb2 100644
>>> --- a/src/id.c
>>> +++ b/src/id.c
>>> @@ -89,7 +89,7 @@ or (when USER omitted) for the current user.\n\
>>> stdout);
>>> fputs (_("\
>>> -a ignore, for compatibility with other versions\n\
>>> - -Z, --context print only the security context of the current user\n\
>>> + -Z, --context print only the security context of the current process\n\
>>
>> So this is a little ambiguous. In the SMACK64EXEC edge case,
>> is the current process referring to the id process or the
>> process it's being run from?
>
> id currently read SMACK label from /proc/self/attr/current, this is
> always itself SMACK label, so the current process is the *id* process.
>
> If the id binary has SMACK64EXEC label, then its SMACK label overwritten
> the label inherited from its parent, in most cases, it's the shell.
>
> Simple answer is *the current process* is *the id process*. Regardless
> if it has SMACK64EXEC label.
Sure I understand what's going on, but I meant users might not from that
description.
>
>>
>> -Z, --context print only the security context inherited by the process
>
> So that's incorrect for SMACK environment, if it has SMACK64EXEC, then
> the inherited label overwritten by itself SMACK64EXEC label.
So "the process" here could only mean the id process.
"inherited by" was meant to describe the vastly more common case,
and also not be incorrect in the case where the context is
"inherited from" the SMACK64EXEC label.
Anyway I'll clean this up in the morning and push.
thanks,
Pádraig.
- [PATCH 0/6] Doc: correct for commands which support SELinux and SMACK, Chengwei Yang, 2014/01/15
- [PATCH 2/6] ls: correct document about its security context label, Chengwei Yang, 2014/01/15
- [PATCH 3/6] mkdir: correct document about security context option, Chengwei Yang, 2014/01/15
- [PATCH 4/6] mkfifo: correct document about security context option, Chengwei Yang, 2014/01/15
- [PATCH 5/6] mknod: correct document about security context option, Chengwei Yang, 2014/01/15
- [PATCH 6/6] doc: fix alignment, Chengwei Yang, 2014/01/15
- Re: [PATCH 0/6] Doc: correct for commands which support SELinux and SMACK, Pádraig Brady, 2014/01/16