[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] ls - colorize files with capabilities
|
From: |
Kamil Dudka |
|
Subject: |
Re: [PATCH] ls - colorize files with capabilities |
|
Date: |
Wed, 30 Jul 2008 11:31:11 +0200 |
|
User-agent: |
KMail/1.9.9 |
On Friday 25 July 2008 12:40:25 you wrote:
> On what type of system did the new test succeed for you?
> On rawhide, capget appears to malfunction:
>
> # rm t;>t;strace -e capget setcap cap_net_bind_service=ep t 2>&1|cut
> -c-78 capget(0x20071026, 0, NULL) = -1 EFAULT (Bad address)
> capget(0x20071026, 0,
> {CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWN capget(0x20071026,
> 0, NULL) = -1 EFAULT (Bad address) Failed to set capabilities
> on file `t' (Operation not permitted) usage: setcap [-q] (-r|-|<caps>)
> <filename> [ ... (-r|-|<capsN>) <filenameN> ]
>
> Note <filename> must be a regular (non-symlink) file.
>
> Considering the test doesn't pass anywhere I've tried, I'm in
> no hurry to apply it.
I have not my own rawhide testing machine, but it is disabled even on F-9. It
helped to me allow it manually (using audit2allow):
# echo "module local 1.0;
require {
type unconfined_t;
class capability setfcap;
}
allow unconfined_t self:capability setfcap;
" > local.te
# checkmodule -M -m -o local.mod local.te
# semodule_package -o local.pp -m local.mod
# semodule -i local.pp
This is easy way to enable setting of file capabilities on SELinux, but it is
still disabled by default. So I think the best solution is to skip the test
if setcap fails (as it was in my 1st version of test), because this is not
failure of ls.
Kamil