selinux July 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: ima-appraisal: CAP_MAC_ADMIN w/SELinux

Re: ima-appraisal: CAP_MAC_ADMIN w/SELinux

From: Mimi Zohar <zohar_at_nospam>
Date: Tue Jul 27 2010 - 22:08:18 GMT
To: Stephen Smalley <sds@tycho.nsa.gov>

On Tue, 2010-07-27 at 09:04 -0400, Stephen Smalley wrote:
> On Tue, 2010-07-27 at 08:28 -0400, Mimi Zohar wrote:
> > I'm seeing some interesting behavior in ima_inode_setxattr() with an
> > SELinux targeted policy enabled. Unlike the definition for
> > CAP_SYS_ADMIN, CAP_MAC_ADMIN does not permit root to write extended
> > attributes. (Without SELinux enabled, root can write 'security.ima'.)
> > Is this the intended behavior?
> >
> > Without this permission, restorecond is also unable to write extended
> > attributes.
> >
> > kernel: type=1400 audit(1279830569.844:4): avc: denied { mac_admin }
> > for pid=447 comm="restorecon" capability=33
> > scontext=system_u:system_r:setfiles_t:s0
> > tcontext=system_u:system_r:setfiles_t:s0 tclass=capability2
> >
> > /*
> > * ima_protect_xattr - protect 'security.ima'
> > *
> > * Ensure that not just anyone can modify or remove 'security.ima'.
> > */
> > int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
> > const void *xattr_value, size_t xattr_value_len)
> > {
> > if ((strcmp(xattr_name, XATTR_NAME_IMA) == 0)
> > && !capable(CAP_MAC_ADMIN))
> > return -EPERM;
> > return 0;
> > }
> >
> > Adding the following rules, permits root and restorecond to write
> > 'security.ima'.
> >
> > module local-cap 1.0;
> >
> > require {
> > type setfiles_t;
> > type unconfined_t;
> > class capability2 mac_admin;
> > }
> >
> > #============= setfiles_t ==============
> > allow setfiles_t self:capability2 mac_admin;
> > allow unconfined_t self:capability2 mac_admin;
>
> I don't think you should be overloading CAP_MAC_ADMIN in this manner.
> The ability to set IMA attributes is not equivalent to the ability to
> administer Smack, nor to get/set raw on-disk attributes in SELinux.
>
> We only allow mac_admin in policy to a specialized domain for e.g.
> livecd creation. Normal admin of SELinux is handled through its
> existing fine-grained permission checks without any dependency on
> CAP_MAC_ADMIN.

With CAP_SYS_ADMIN, root is able to write xattrs, but restorecond is
still having problems:

type=1400 audit(1280268030.225:709): avc: denied { sys_admin } for
pid=1004 comm="restorecon" capability=21
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:setfiles_t:s0 tclass=capability

Mimi

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.