[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] id: show SMACK security context

From: Jarkko Sakkinen
Subject: Re: [PATCH] id: show SMACK security context
Date: Thu, 29 Aug 2013 12:18:22 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8

Hi Casey,

On 08/28/2013 03:21 AM, Pádraig Brady wrote:
On 04/22/2013 02:09 PM, Jarkko Sakkinen wrote:
On Mon, Apr 22, 2013, at 13:15, Pádraig Brady wrote:
On 04/17/2013 09:30 PM, Jarkko Sakkinen wrote:

diff --git a/src/id.c b/src/id.c

@@ -189,14 +199,17 @@ main (int argc, char **argv)
       and we're not in POSIXLY_CORRECT mode, get our context.  Otherwise,
       leave the context variable alone - it has been initialized to an
       invalid value that will be not displayed in print_full_info().  */
-  if (selinux_enabled
-      && n_ids == 0
+  if (n_ids == 0
        && (just_context
            || (default_format && ! getenv ("POSIXLY_CORRECT"))))
        /* Report failure only if --context (-Z) was explicitly requested.  */
-      if (getcon (&context) && just_context)
+      if (selinux_enabled && getcon (&context) && just_context)
+        error (EXIT_FAILURE, 0, _("can't get process context"));
+#ifdef HAVE_SMACK
+      else if (smack_enabled && smack_new_label_from_self ((char **) &context))
          error (EXIT_FAILURE, 0, _("can't get process context"));

So smack defers to SELinux.
In that case you probably don't want --with-smack above,
and instead auto detect smack availability.

Well, actually you couldn't have SELinux and SMACK active in the
kernel at the same time. Kernel can only have one LSM enabled at
a time (and you cannot switch or disable LSM). So this essentially
detects, which one is enabled in the kernel.

It seems like this will no longer be the case:

Looks like your LSM stacker has been progressing.

Do you have recommendations how  should this work
together with coreutils? For example, what ls show
if we have both SELinux and SMACK enabled?



reply via email to

[Prev in Thread] Current Thread [Next in Thread]