Open uudiin opened 5 days ago
It looks like the dac_override is not working, or am I missing something ?
/sys/fs/selinux/disable
isn't a good example, as it won't work if a SELinux policy is loaded. In fact, I'm surprised it exists once the policy is loaded (@pcmoore ?)
secadm_t
has dac_override
, and fowner
, so I wouldn't expect there to be any DAC issue here. You could do a basic check of your capability set, in case you don't have the capabilities you think you have:
$ grep Cap /proc/self/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
$ sudo grep Cap /proc/self/status
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
Probably worth pointing out that dac_override
doesn't let a user without DAC privileges bypass DAC checks. It's for a privileged user (eg root) to use their root powers to bypass DAC checks. (SELinux always adds more restrictions on top of DAC, not allowing any overrides or bypasses of DAC by itself).
@pebenito As you said, this general user secadm
doesn't have the corresponding capability, I added cap_dac_override
capability for secadm
via pam_cap.so
from libcap
, but this is only an inherited capability, don't know how to add a effective capability set for this user?
# cat /proc/5023/status | grep 'Cap'
CapInh: 0000000000000006
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
It's possible to add a capability set to all executables used by that user as down below for cat
, then general secadm
users can read files that were originally unreadable through cat
, such as /etc/shadow
, but it doesn't seem like a good idea.
setcap cap_dac_override=ep /usr/bin/cat
My goal is to share the management of security policies and selinux-related operation permissions with the secadm user. I created a selinux user named secadm_u and a normal user secadm with the following command:
Because under DAC,
secadm
is a general user, which causes operations likesetenforce
to fail, because the interface files under/sys/fs/selinux
require the write permission of the owner root, for example, thedisable
file can only be written by the owner root,and the newly created general user cannot pass the DAC check. Is there a more formal solution like this, maybe it only be solved by modifying the owner of
/sys/fs/selinux
?